CVE-2025-6464
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission DeletionThe Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
We have discovered 66,772 live websites that are affected by CVE-2025-6464.
Affected Software
| Product |  Forminator |
| Category | Wordpress Plugins |
| Vulnerable Domains | 66,772 live websites (100% of Forminator install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 130 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-502 Deserialization of Untrusted DataDetails
- Published - Jul 2, 2025
- Updated - Jul 2, 2025
Credits
- Nguyen Tan Phat (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-6464 United States | 27,779 websites |
 Germany | 6,956 websites |
 France | 4,447 websites |
 GB | 3,761 websites |
 Denmark | 2,819 websites |
 Cyprus | 2,231 websites |
 Italy | 1,664 websites |
 Netherlands | 1,658 websites |
 South Africa | 1,362 websites |
 Poland | 1,160 websites |
Website Distribution by TLD
Number of websites using CVE-2025-6464| .com | 28,972 websites |
| .org | 3,582 websites |
| .co.uk | 3,408 websites |
| .de | 2,882 websites |
| .dk | 2,313 websites |
| .fr | 2,272 websites |
| .nl | 1,940 websites |
| .com.au | 1,597 websites |
| .it | 1,371 websites |
| .ca | 1,209 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-6464
Top websites that are affected by CVE-2025-6464. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ********.org | United States | *,*** | |
| ******.me | United States | *,*** | |
| **************.com | France | **,*** | |
| **********.com | United States | **,*** | |
| ********.it | Italy | **,*** | |
| *****.ru |  Russia | **,*** | |
| *****************.***.uk | GB | **,*** | |
| *******.org | United States | **,*** | |
| ******.com | Germany | **,*** |
FAQ
CVE-2025-6464 is Deserialization of Untrusted Data in Forminator
A total of 66,772 websites have been identified as vulnerable to CVE-2025-6464, based on global website indexing conducted by WebTechSurvey.
The Forminator is affected by the CVE-2025-6464 vulnerability.
Forminator versions up to and including 1.44.2 are vulnerable to CVE-2025-6464.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6707aa4c-c652-42c0-bdb9-00be984e7271?source=cve
- https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249
- https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1263
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fforminator&old=3319860&new_path=%2Fforminator&new=3319860&sfp_email=&sfph_mail=