CVE-2025-9260 is a medium-severity vulnerability affecting the WordPress plugin 'Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder' developed by techjewel. The vulnerability arises from unsafe deserialization of untrusted data in the plugin's parseUserProperties function, specifically in versions from 5.1.16 up to 6.1.1. This flaw enables authenticated attackers with at least Subscriber-level privileges to perform PHP Object Injection (POI). By injecting crafted serialized PHP objects, attackers can exploit a Property Oriented Programming (POP) chain to read arbitrary files on the server. Furthermore, if the server configuration has allow_url_include enabled—a risky setting that allows PHP to include remote files—attackers can escalate this to remote code execution (RCE), potentially taking full control of the affected web server. The vendor attempted to patch the issue in version 6.1.0, but the fix introduced a fatal error due to a missing class import, making version 6.1.2 the first fully patched and stable release. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting a medium severity level, with network attack vector, low attack complexity, and requiring low privileges but no user interaction. No known exploits are reported in the wild yet, but the impact potential is significant given the possibility of file disclosure and remote code execution under certain configurations.

For European organizations, this vulnerability poses a tangible risk, especially for those using WordPress sites with the Fluent Forms plugin for customer engagement, surveys, or data collection. Exploitation could lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or personal data, violating GDPR and other privacy regulations. In environments where allow_url_include is enabled—a misconfiguration but still present in some legacy or poorly maintained servers—attackers could execute arbitrary code remotely, leading to full site compromise, defacement, data theft, or pivoting into internal networks. This could disrupt business operations, damage reputation, and incur regulatory penalties. Since the attack requires only Subscriber-level access, which is often easy to obtain through phishing or weak credential reuse, the attack surface is broad. The lack of user interaction needed further lowers the barrier for exploitation. Given the widespread use of WordPress in Europe for SMEs and large enterprises alike, the vulnerability could affect a significant number of organizations if not promptly addressed.

European organizations should immediately verify their WordPress installations for the presence of the Fluent Forms plugin and check the version. Upgrading to version 6.1.2 or later is critical to fully remediate this vulnerability. Administrators should audit server PHP configurations to ensure allow_url_include is disabled, as this setting greatly increases risk if left enabled. Implementing strict access controls to limit Subscriber-level account creation and monitoring for unusual activity can reduce exploitation likelihood. Web application firewalls (WAFs) should be configured to detect and block suspicious serialized payloads or anomalous POST requests targeting the vulnerable function. Regularly scanning WordPress plugins for vulnerabilities and applying patches promptly is essential. Additionally, organizations should conduct internal audits to identify any signs of compromise related to this vulnerability, such as unexpected file reads or code injections. Backup and incident response plans should be updated to handle potential exploitation scenarios.