PHP Object Injection Vulnerability in Ninja Forms Plugin by Ninja Squad
CVE-2025-9083

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Ninja Forms
Vendor: CVE Published:; 18 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-9083?

The Ninja Forms plugin for WordPress, before version 3.11.1, contains a vulnerability that allows unauthenticated users to exploit PHP Object Injection through unserialization of user input in form fields. If the blog contains a suitable gadget, this flaw could be leveraged, potentially resulting in serious security breaches.

Affected Version(s)

Ninja Forms 0 < 3.11.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9083 - Proof of Concept

References

https://wpscan.com/vulnerability/60b4d7fc-5d23-4dcf-bd7f-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 18, 2025
👾
Exploit known to exist
Sep 18, 2025
Vulnerability published
Sep 18, 2025
Vulnerability Reserved
Aug 15, 2025

Credit

wcraft

WPScan

JSON