PHP Object Injection Vulnerability in Forminator Forms Plugin for WordPress
CVE-2025-6464

7.5HIGH

Key Information:

Vendor: WordPress
Status: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor: CVE Published:; 2 July 2025

What is CVE-2025-6464?

The Forminator Forms plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input in the 'entry_delete_upload_files' function. This vulnerability allows attackers to exploit deserialization when form entries are deleted. While the risk is mitigated if no additional plugins with a PHP Object Injection (POP) chain are installed, if such a chain exists, it could enable attackers to delete files, extract sensitive information, or execute arbitrary code, amplifying the overall risk to site integrity.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.44.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/forminator/tru...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
Jun 21, 2025

Credit

Nguyen Tan Phat