CVE-2025-6464

Name of the Vulnerable Software and Affected Versions: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.44.2

Description: The issue is related to PHP Object Injection via deserialization of untrusted input in the entry delete upload files function. This allows unauthenticated attackers to inject a PHP Object through a PHAR file. However, the vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code, depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.

Recommendations: For versions up to, and including, 1.44.2, update to a version that fixes the PHP Object Injection issue. As a temporary workaround, consider disabling the entry delete upload files function until a patch is available. Restrict access to the plugin's form submission deletion feature to minimize the risk of exploitation.