Severe WordPress Plugin Flaw Puts Over 600,000 Sites at Risk of Remote Takeover

A high-severity vulnerability (CVE-2025-6463, CVSS 8.8) in the Forminator WordPress plugin allows unauthenticated attackers to craft form submissions that cause arbitrary server file deletion (including wp-config.php), risking complete site takeover for an estimated 600,000+ sites; the vendor released a patch (1.44.3) that restricts deletions to upload/signature fields, confines deletions to the uploads directory, and sanitizes paths — administrators should update immediately, verify critical files, review submissions, and enable WAF protection.