CVE-2025-6464
📋 TL;DR
The Forminator WordPress plugin is vulnerable to PHP Object Injection via deserialization of untrusted input when form submissions are deleted. This allows unauthenticated attackers to inject malicious PHP objects through PHAR files, but exploitation requires a separate plugin or theme with a POP chain. All WordPress sites using Forminator versions up to 1.44.2 are affected.
💻 Affected Systems
- Forminator Forms – Contact Form, Payment Form & Custom Form Builder for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If a POP chain is present via another plugin/theme, attackers could execute arbitrary code, delete files, or steal sensitive data, potentially leading to complete site compromise.
Likely Case
Most sites will not have compatible POP chains, resulting in no immediate impact, but the vulnerability creates a dangerous attack surface that could be exploited if vulnerable components are added later.
If Mitigated
With proper security controls like WAF rules blocking PHAR file uploads and regular plugin updates, the risk is significantly reduced even if the vulnerability exists.
🎯 Exploit Status
Exploitation requires finding or creating a compatible POP chain from other installed components, which adds complexity but is feasible for skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.44.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?old_path=%2Fforminator&old=3319860&new_path=%2Fforminator&new=3319860&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Forminator and click 'Update Now'. 4. Verify update to version after 1.44.2.
🔧 Temporary Workarounds
Block PHAR file uploads via WAF
allConfigure web application firewall to block uploads containing PHAR file signatures
Disable form submission auto-deletion
allChange Forminator settings to prevent automatic deletion of form submissions
🧯 If You Can't Patch
- Temporarily disable the Forminator plugin until patching is possible
- Implement strict file upload restrictions to block PHAR files at the server level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Forminator version. If version is 1.44.2 or lower, you are vulnerable.Check Version:
wp plugin get forminator --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify Forminator version is higher than 1.44.2 in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with .phar extensions
- Multiple failed attempts to access form deletion endpoints
- Unexpected PHP errors related to unserialize()
Network Indicators:
- HTTP POST requests to forminator endpoints with serialized data
- Uploads containing PHAR file signatures
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path LIKE "%/forminator/%") AND (method="POST" AND (request_body LIKE "%phar:%" OR request_body LIKE "%O:%"))🔗 References
- https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249
- https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1263
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fforminator&old=3319860&new_path=%2Fforminator&new=3319860&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6707aa4c-c652-42c0-bdb9-00be984e7271?source=cve
