A critical vulnerability (CVE-2025-6463, CVSS 8.8) in the Forminator WordPress plugin allows unauthenticated attackers to delete arbitrary files, potentially taking over over 400,000 websites. Exploitation can target critical files like wp-config.php, leading to full site compromise. A patch was released in version 1.44.3, but most users haven't updated yet.