A serious security vulnerability has been discovered in the widely used WordPress plugin Forminator, placing over 600,000 active WordPress sites at risk. The flaw, disclosed by security researchers at Wordfence on July 2, 2025, allows authenticated attackers to delete arbitrary files on the server.
What Is the Forminator Plugin Vulnerability?
The vulnerability affects Forminator versions before 1.29.3. Forminator is a popular plugin used to build contact forms, surveys, quizzes, and polls on WordPress sites. Due to a lack of proper input validation in the file upload feature, attackers with subscriber-level access or higher can manipulate requests and instruct the plugin to delete any file on the server that the web server user can access.
This means that critical WordPress core files, themes, or plugins could be removed, leading to a broken site or a complete website takedown.
How Does the Attack Work?
An attacker first needs to gain access to any valid user account on a vulnerable WordPress site. Once authenticated, they can craft malicious requests exploiting the insecure file deletion mechanism in Forminator’s upload endpoint. Since many WordPress sites allow user registration (think membership, LMS, or community sites), even a subscriber account is sufficient to launch an attack.
Who Is Affected?
Any WordPress site running Forminator versions earlier than 1.29.3 is vulnerable.
According to WordPress.org, Forminator has more than 600,000 active installations, meaning a significant number of websites remain exposed if they haven’t updated.
Websites that allow user registration are at particular risk because attackers can simply create an account and exploit the vulnerability without requiring administrator privileges.
Wordfence Awards Record-Setting Bug Bounty
In recognition of the severity of this flaw, Wordfence awarded its largest bounty ever: $8,100. This bounty was paid to the researcher who responsibly disclosed the vulnerability through the Wordfence Bug Bounty Program. According to Wordfence, this is the highest single bounty amount awarded in the program’s history.
The unprecedented payout underscores the critical nature of the vulnerability—and highlights the importance of responsible disclosure programs in keeping the WordPress ecosystem secure.
What Should Site Owners Do?
Wordfence recommends that all WordPress site owners using Forminator update immediately to the patched version, 1.29.3 or newer. The update includes a fix for the vulnerability and prevents attackers from exploiting the flaw.
In addition to updating, site owners should:
- Review user accounts: Audit all user registrations for suspicious or unexpected accounts.
- Harden WordPress security: Disable unnecessary user registration or limit it with tools like CAPTCHA or email verification.
- Use a security plugin: Implement a firewall such as Wordfence or similar solutions to block malicious traffic proactively.
Has the Vulnerability Been Exploited?
At the time of Wordfence’s report, there was no public evidence of widespread exploitation. However, given the simplicity of the attack and the ease of obtaining subscriber-level access, active exploits could begin at any time.
Final Thoughts
This vulnerability in Forminator serves as a stark reminder of the importance of proactive website maintenance and security. WordPress plugins can add incredible functionality to your site, but they can also introduce serious risks if not kept up to date. A single outdated plugin can give attackers a foothold to compromise your entire website, damage your reputation, or even wipe your data.
At HostScore.net, we strongly recommend not only updating your plugins regularly but also investing time in understanding what features and protections your hosting provider offers to keep your website safe. From advanced DDoS protection to malware scanning, modern hosting plans often come with security features that can make a critical difference when vulnerabilities like this emerge.
Want to learn how to better protect your site? Check out our in-depth guide, Protecting Your Sites: Essential Web Hosting Security Features You Need to Know. It covers the key security tools and practices every website owner should have in place to stay ahead of potential threats.
