{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"Forminator Flaw Exposes WordPress Sites to Takeover Attacks: Vulnerability Threatens 600,000+ Sites","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/7aa8a59b\"></iframe>","width":"100%","height":180,"duration":3032,"description":"A critical new WordPress vulnerability—CVE-2025-6463—has been discovered in the widely used Forminator plugin, affecting over 600,000 active installations and putting hundreds of thousands of websites at risk of full compromise. In this episode, we dive deep into the mechanics, risks, and remediation of this arbitrary file deletion flaw and explain what every WordPress administrator, developer, and security professional needs to know.At the heart of this issue is improper validation in how the Forminator plugin handles file paths when deleting form entries. This allows unauthenticated attackers to inject file paths into form submissions—even in fields not meant to accept files—and trick the system into deleting critical WordPress files like wp-config.php. The result? A full site reset, granting attackers an opportunity to seize control of the site.Here’s what we unpack in this episode:The CVE-2025-6463 Vulnerability: How the exploit works, which function is flawed (entry_delete_upload_files), and why unsanitized file arrays in form fields make this so dangerous.Real-World Impact: Deleting wp-config.php can reset a WordPress site, giving an attacker a window to install a fresh site under their control.Scope of Exposure: Over 400,000 sites remain unpatched, and many administrators may not even be aware they’re running outdated versions of the Forminator plugin.The Fix in Version 1.44.3: We discuss how the patch restricts deletions to specific field types, limits file deletions to safe directories, and enforces path normalization and filename sanitization.Why WordPress Sites Are Frequent Targets: A broader look at WordPress security—including why abandoned plugins, weak file permissions, brute force attacks, and poor update hygiene continue to lead to compromises.Best Practices to Secure WordPress:Always keep core, themes, and plugins up to dateRemove unused plugins and themes completely—not just deactivate themSet secure file permissions (755 for directories, 644...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}