CVE-2025-9260

Name of the Vulnerable Software and Affected Versions Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress versions 5.1.16 through 6.1.1

Description The plugin is susceptible to PHP Object Injection due to deserialization of untrusted input within the parseUserProperties function. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. The presence of a PHP Object Payload (POP) chain enables attackers to read arbitrary files. If allow url include is enabled on the server, remote code execution is possible.

Recommendations Update to version 6.1.2 or later.