// For flags

CVE-2025-6464

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.

El complemento Forminator Forms – Contact Form, Payment Form &amp; Custom Form Builder para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 1.44.2 incluida, mediante la deserialización de entradas no confiables en la función 'entry_delete_upload_files'. Esto permite a atacantes no autenticados inyectar un objeto PHP a través de un archivo PHAR. No se conoce ninguna cadena POP presente en el software vulnerable, lo que significa que esta vulnerabilidad no tiene impacto a menos que se instale en el sitio otro complemento o tema que contenga una cadena POP. Si una cadena POP está presente a través de un complemento o tema adicional instalado en el sistema objetivo, puede permitir al atacante realizar acciones como eliminar archivos arbitrarios, recuperar datos confidenciales o ejecutar código, dependiendo de la cadena POP presente. La deserialización se produce cuando se elimina el envío del formulario, ya sea por un administrador o mediante la eliminación automática determinada por la configuración del complemento.

*Credits: Nguyen Tan Phat
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-06-21 CVE Reserved
  • 2025-07-01 CVE Published
  • 2025-07-02 CVE Updated
  • 2025-07-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wpmudev
Search vendor "Wpmudev"
 Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Search vendor "Wpmudev" for product "Forminator Forms – Contact Form, Payment Form & Custom Form Builder"
 <= 1.44.2
Search vendor "Wpmudev" for product "Forminator Forms – Contact Form, Payment Form & Custom Form Builder" and version " <= 1.44.2"
en
Affected