Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN419 _____________________________________________________________________ DATE : 04/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Forminator for Wordpress versions prior to 1.44.3. ===================================================================== https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forminator/forminator-forms-contact-form-payment-form-custom-form-builder-1442-unauthenticated-arbitrary-file-deletion-triggered-via-administrator-form-submission-deletion _____________________________________________________________________ Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion Wordfence Intelligence > Vulnerability Database > Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion 8.8 External Control of File Name or Path CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE CVE-2025-6463 CVSS 8.8 (High) Publicly Published July 1, 2025 Last Updated July 2, 2025 Researcher Phat RiO - BlueRock Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php). References plugins.trac.wordpress.org plugins.trac.wordpress.org Vulnerability Details for Forminator Forms – Contact Form, Payment Form & Custom Form Builder Forminator Forms – Contact Form, Payment Form & Custom Form Builder Software Type Plugin Software Slug forminator (view on wordpress.org) Patched? Yes Remediation Update to version 1.44.3, or a newer patched version Affected Version <= 1.44.2 Patched Version 1.44.3 This record contains material that is subject to copyright. Copyright 2012-2025 Defiant Inc. License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more. Copyright 1999-2025 The MITRE Corporation License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more. Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================