CVE-2025-9260
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluentforms | fluent_forms | 5.1.16 |
| fluentforms | fluent_forms | 6.1.2 |
| fluentforms | fluent_forms | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Fluent Forms WordPress plugin (versions 5.1.16 to 6.1.1) is a PHP Object Injection issue caused by deserialization of untrusted input in the parseUserProperties function. Authenticated users with Subscriber-level access or higher can inject malicious PHP objects. This can lead to reading arbitrary files on the server, and if the server has allow_url_include enabled, it can result in remote code execution. The issue was patched in version 6.1.0, but due to a patch error, version 6.1.2 is considered the fully fixed version.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low-level authenticated access to inject PHP objects, potentially leading to unauthorized reading of arbitrary files on the server. In environments where allow_url_include is enabled, it can escalate to remote code execution, allowing the attacker to run arbitrary code on the server. This can compromise the integrity and confidentiality of your website and server environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Fluent Forms WordPress plugin is installed and its version is between 5.1.16 and 6.1.1 (excluding 6.1.2 and above). You can check the plugin version via WordPress admin dashboard or by inspecting the plugin files. On the system, you can search for the presence of the vulnerable parseUserProperties function usage or signs of PHP Object Injection attempts in logs. Since the vulnerability requires authenticated access at Subscriber level or above, monitoring for suspicious authenticated requests to the plugin endpoints may help. Specific commands to check the plugin version on the server include: 1) Using WP-CLI: `wp plugin list | grep fluentform` to get the installed version. 2) Searching plugin files for vulnerable versions: `grep -r 'parseUserProperties' wp-content/plugins/fluentform/`. 3) Checking web server logs for suspicious POST requests to Fluent Forms endpoints. However, no direct detection commands for exploitation attempts are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Fluent Forms plugin to version 6.1.2 or later, as this version contains the most complete and best patch for the PHP Object Injection vulnerability. Avoid using versions 6.1.0 or 6.1.1 as the patch in 6.1.0 caused a fatal error and is incomplete. Additionally, ensure that the PHP configuration directive `allow_url_include` is disabled to prevent remote code execution exploitation. Limit authenticated user roles to trusted users only, as the vulnerability requires Subscriber-level access or higher.