Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-6464

CVE-2025-6464: Incsub Forminator RCE Vulnerability

CVE-2025-6464 is a PHP Object Injection flaw in Incsub Forminator plugin for WordPress that could enable RCE when exploited with a POP chain. This article covers technical details, affected versions, and mitigation strategies.

Updated:

CVE-2025-6464 Overview

CVE-2025-6464 affects the Forminator Forms plugin for WordPress, a contact, payment, and custom form builder developed by Incsub. The vulnerability allows unauthenticated attackers to trigger PHP Object Injection through deserialization of untrusted input in the entry_delete_upload_files function. Attackers can deliver a malicious payload via a PHAR (PHP Archive) file. Deserialization executes when a form submission is deleted, either manually by an administrator or automatically through plugin settings.

The plugin itself contains no known property-oriented programming (POP) chain, so exploitation requires another plugin or theme on the site to provide one. The vulnerability is classified under [CWE-502: Deserialization of Untrusted Data].

Critical Impact

When combined with a POP chain from another installed plugin or theme, attackers can delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the WordPress host.

Affected Products

  • Incsub Forminator Forms plugin for WordPress
  • All versions up to and including 1.44.2
  • WordPress sites with additional plugins or themes containing exploitable POP chains

Discovery Timeline

  • 2025-07-02 - CVE-2025-6464 published to the National Vulnerability Database
  • 2025-07-07 - Last updated in the NVD database

Technical Details for CVE-2025-6464

Vulnerability Analysis

The Forminator Forms plugin processes file paths associated with form submission uploads during entry deletion. The entry_delete_upload_files function in class-form-entry-model.php calls PHP deserialization routines on input that an attacker controls through submitted form data. Because attacker-supplied content reaches unserialize() without validation, the plugin instantiates arbitrary PHP objects defined in any loaded class.

PHP automatically deserializes PHAR archive metadata when file operations reference a phar:// stream wrapper. This behavior turns any file-path sink into a deserialization gadget. The Forminator vulnerability extends this primitive to unauthenticated visitors, since form submissions do not require authentication.

The impact depends on classes loaded in the WordPress runtime. When another plugin or theme exposes a usable POP chain, the deserialization primitive escalates to file deletion, data exfiltration, or remote code execution.

Root Cause

The root cause is deserialization of untrusted input within the file-handling logic of submitted entries. Source code references on lines 1249 and 1263 of class-form-entry-model.php show the affected paths. See the WordPress Code Review Line 1249 and WordPress Code Review Line 1263 for the vulnerable sinks.

Attack Vector

An unauthenticated attacker submits a form containing a crafted file reference using a phar:// URL pointing to an attacker-uploaded PHAR archive. Deserialization triggers when the entry is later deleted, either by an administrator action or by the plugin's auto-deletion routine. User interaction by an administrator or automated cleanup completes the chain, satisfying the UI:R requirement in the CVSS vector.

No verified public exploit code is available. The vulnerability mechanism is described in the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-6464

Indicators of Compromise

  • Form submissions containing file path fields with phar:// stream wrapper references
  • Unexpected PHAR (.phar, .jpg, .png) files uploaded to the WordPress wp-content/uploads/forminator directory
  • Anomalous PHP process activity following deletion of Forminator form entries
  • Outbound network connections or file modifications originating from the web server immediately after entry cleanup operations

Detection Strategies

  • Inspect uploaded files in Forminator upload directories for the PHAR magic header __HALT_COMPILER() regardless of file extension
  • Audit WordPress access logs for POST requests to Forminator submission endpoints containing serialized PHP object signatures such as O: or a:
  • Monitor the WordPress plugin inventory for the installed Forminator version against the patched release

Monitoring Recommendations

  • Enable file integrity monitoring on wp-content/plugins and wp-content/uploads to flag new executable PHP content
  • Forward WordPress application logs and PHP error logs to a centralized SIEM for correlation with web access patterns
  • Alert on PHP process executions spawned by the web server outside of expected request handlers

How to Mitigate CVE-2025-6464

Immediate Actions Required

  • Update the Forminator Forms plugin to the version released after 1.44.2 that addresses this vulnerability
  • Audit all installed plugins and themes for known POP chain gadgets and remove unused extensions
  • Review and purge existing form submissions and uploaded files to eliminate any staged PHAR payloads
  • Restrict administrator-initiated deletion of form entries until the plugin is patched

Patch Information

Incsub addressed the deserialization sink in the Forminator plugin. The remediation is tracked in the WordPress Changeset Review. Site administrators should upgrade through the WordPress plugin manager or by deploying the updated plugin package from the official repository.

Workarounds

  • Disable the Forminator Forms plugin until the patched release is installed
  • Block uploads of files containing the PHAR signature at the web application firewall layer
  • Disable the phar stream wrapper in PHP configuration where application functionality permits
  • Turn off Forminator's automatic submission deletion feature to prevent automated deserialization triggers
bash
# Disable the phar stream wrapper via php.ini
# Add the following to your active php.ini file
disable_functions = phar_stream_wrapper
suhosin.executor.include.allowed_schemes = file

# Verify Forminator plugin version
wp plugin get forminator --field=version

# Force update to patched release
wp plugin update forminator

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne