The Forminator Forms plugin for WordPress suffers from a PHP Object Injection vulnerability due to unsafe deserialization in the 'entry_delete_upload_files' function. Unauthenticated attackers can inject a PHP object through a PHAR file. However, exploitation depends on the presence of a POP chain gadget in other installed plugins or themes, which is not present in Forminator itself. The vulnerability manifests when form submissions are deleted, either manually by an administrator or automatically by plugin settings. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring user interaction with high attack complexity.

If a POP chain gadget is present in other installed plugins or themes, an attacker could leverage this vulnerability to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the affected WordPress site. Without such a POP chain, the vulnerability cannot be exploited. The vulnerability affects confidentiality, integrity, and availability of the system.

No official patch or fix is currently documented for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should review installed plugins and themes for potential POP chain gadgets that could be exploited in conjunction with this vulnerability. Consider disabling or removing the Forminator Forms plugin or restricting form submission deletion actions to trusted users only. Monitor vendor channels for updates and apply official fixes once released.