CVE-2025-6464 is a deserialization vulnerability classified under CWE-502 affecting the WordPress plugin Forminator Forms – Contact Form, Payment Form & Custom Form Builder, versions up to and including 1.44.2. The vulnerability arises from unsafe deserialization of untrusted input in the 'entry_delete_upload_files' function, which processes data when form submissions are deleted. An unauthenticated attacker can inject a PHP object via a specially crafted PHAR file. However, the vulnerability alone does not lead to exploitation because Forminator Forms lacks a built-in POP (Property Oriented Programming) gadget chain necessary to trigger malicious behavior. Exploitation depends on the presence of another plugin or theme installed on the WordPress site that contains a suitable POP chain. If such a chain exists, attackers could leverage this vulnerability to delete arbitrary files, access sensitive information, or execute arbitrary code on the server. The vulnerability requires no privileges but does require user interaction (the deletion of a form submission). The CVSS v3.1 score is 7.5 (High), reflecting network attack vector, high attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability was published on July 2, 2025, and was reserved on June 21, 2025. Given the widespread use of WordPress and the popularity of Forminator Forms, this vulnerability poses a significant risk especially in environments with multiple plugins and themes.

The potential impact of CVE-2025-6464 is significant for organizations running WordPress sites with the Forminator Forms plugin, particularly those with complex plugin and theme environments. If exploited, attackers could achieve remote code execution, arbitrary file deletion, or data disclosure depending on the presence of a POP chain in other installed components. This could lead to website defacement, data breaches involving sensitive user or business information, disruption of business operations due to file deletion or service outages, and potential lateral movement within the hosting environment. Since the vulnerability is exploitable without authentication but requires user interaction (form submission deletion), attackers might leverage social engineering or automated processes to trigger the exploit. Organizations relying on Forminator Forms for contact, payment, or custom forms face risks to confidentiality, integrity, and availability of their web assets. The lack of a direct POP chain in Forminator reduces immediate risk but does not eliminate it, especially in environments with many third-party plugins or custom themes. The global nature of WordPress usage means this vulnerability could affect a wide range of sectors including e-commerce, education, government, and media.

To mitigate CVE-2025-6464, organizations should first update the Forminator Forms plugin to a version beyond 1.44.2 once a patch is released. Until then, consider the following specific actions: 1) Audit all installed plugins and themes for known POP chains or unsafe deserialization patterns and remove or update risky components. 2) Restrict or monitor deletion of form submissions, especially automated deletions, to trusted administrators only. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious PHAR file uploads or deserialization payloads targeting the 'entry_delete_upload_files' function. 4) Harden the WordPress environment by disabling PHP deserialization where possible or using PHP configuration directives to restrict PHAR stream wrappers. 5) Employ file integrity monitoring to detect unauthorized file deletions or modifications. 6) Limit user interaction paths that trigger form submission deletions or add multi-factor authentication for administrative actions. 7) Regularly back up website data and test restoration procedures to recover from potential destructive attacks. 8) Monitor security advisories from wpmudev and WordPress security teams for patches or additional guidance. These targeted mitigations go beyond generic advice by focusing on the unique exploitation vector and dependency on POP chains.