Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
Published: 2025-07-02
Score: 7.5 High
EPSS: 1.3% Low
KEV: No
Impact: Potential remote code execution via PHAR injection
Action: Apply Patch
AI Analysis

Impact

The Forminator plugin for WordPress allows an unauthenticated attacker to inject a PHP object through a PHAR file during form submission deletion. Deserialization occurs in the 'entry_delete_upload_files' function when an administrator deletes a form entry or when automatic cleanup removes entries. Because the plugin does not contain a known PHP Object Poisoning (POP) chain, the injected object alone does not result in code execution. However, if the site also hosts another plugin or theme that implements a POP chain, the attacker could use the injected object to delete files, retrieve data, or execute code. No public exploit chain exists within Forminator itself, so the vulnerability has no implicit impact unless a compatible POP chain is present.

Affected Systems

The affected product is Forminator Forms – Contact Form, Payment Form & Custom Form Builder by wpmudev, a free WordPress plugin. All releases up to and including version 1.44.2 are vulnerable.

Risk and Exploitability

The CVSS v3.1 base score is 7.5, indicating a high severity. The EPSS score of 1% shows a low but non‑zero prediction of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires uploading a malicious PHAR file and triggering the deletion flow, which does not require authentication. Because only sites that also run a plugin or theme with an active POP chain can realize an impact, the practical risk is tied to the site’s plugin ecosystem. Sites that rely on the built‑in entry deletion feature and have no additional vulnerable code contain a lower risk profile but should still patch promptly to eliminate the injection vector.

Generated by OpenCVE AI on April 22, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Forminator plugin to a version newer than 1.44.2 that incorporates the fix.
  • If an immediate update is not possible, disable the entry deletion feature or remove the PHAR handling code to block the deserialization path.
  • Audit and remove any plugins or themes that contain a PHP Object Poisoning chain to eliminate the risk of combined exploitation.

Generated by OpenCVE AI on April 22, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19712 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
History

Mon, 07 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Incsub
Incsub forminator
CPEs cpe:2.3:a:incsub:forminator:*:*:*:*:free:wordpress:*:*
Vendors & Products Incsub
Incsub forminator

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Incsub Forminator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:07.457Z

Reserved: 2025-06-21T00:27:32.323Z

Link: CVE-2025-6464

cve-icon Vulnrichment

Updated: 2025-07-02T13:14:30.816Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T06:15:23.520

Modified: 2025-07-07T14:22:31.690

Link: CVE-2025-6464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses