CVE-2025-53990 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-53990?

CVE-2025-53990 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to inject malicious objects through untrusted data deserialization in JetFormBuilder WordPress plugin. Attackers could execute arbitrary code on affected WordPress sites. All WordPress installations using JetFormBuilder versions up to 3.5.1.2 are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious objects through untrusted data deserialization in JetFormBuilder WordPress plugin. Attackers could execute arbitrary code on affected WordPress sites. All WordPress installations using JetFormBuilder versions up to 3.5.1.2 are affected.

💻 Affected Systems

Products:

JetFormBuilder WordPress Plugin

Versions: n/a through 3.5.1.2

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable JetFormBuilder versions are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, and server takeover.

🟠

Likely Case

Arbitrary code execution allowing backdoor installation, data exfiltration, or site defacement.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on Patchstack; deserialization vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.1.3 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-1-2-php-object-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find JetFormBuilder and click 'Update Now'. 4. Verify version is 3.5.1.3 or higher.

🔧 Temporary Workarounds

Disable JetFormBuilder Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate jetformbuilder

WAF Rule for Deserialization

all

Add web application firewall rules to block PHP object injection payloads.

🧯 If You Can't Patch

Implement strict input validation on all form submissions
Deploy web application firewall with deserialization attack detection

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → JetFormBuilder version. If version is 3.5.1.2 or lower, you are vulnerable.

Check Version:

wp plugin get jetformbuilder --field=version

Verify Fix Applied:

Verify JetFormBuilder version is 3.5.1.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to JetFormBuilder endpoints
PHP error logs containing unserialize() errors
Web server logs with base64 encoded payloads

Network Indicators:

HTTP POST requests containing serialized PHP objects
Requests with unusual Content-Type headers

SIEM Query:

source="web_logs" AND (uri="*jetformbuilder*" OR uri="*jfb*" OR user_agent="*jetformbuilder*") AND (method="POST" AND size>1000)

📊 Metadata

CVE ID: CVE-2025-53990

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.11% exploit probability (29.4th percentile)

Published: July 16, 2025

Last Updated: July 16, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-1-2-php-object-injection-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53990, you might also want to check these: