[CVE-2025-9083] Unauthenticated PHP Object Injection in Ninja Forms Hands WordPress Attackers the Keys

TL;DR
Sites running Ninja Forms older than 3.11.1 accept user-supplied serialized data inside Repeatable Fieldset form elements. The plugin unserializes that data during submission handling, enabling unauthenticated PHP object injection. A working gadget chain means full remote code execution. Version 3.11.1 removes the unsafe call; upgrade immediately if your site exposes public forms.

1. Summary

A single HTTP POST against a vulnerable form is enough to trigger the bug. Because Ninja Forms powers more than one million active installations, even a low exploitation rate translates into large scale compromise.

2. Context - Why this vulnerability matters

WordPress administrators choose Ninja Forms because it offers drag-and-drop form building and complex conditional logic without code. Marketing teams embed those forms on landing pages that accept untrusted data from everyone on the internet. When an unauthenticated bug appears in such a plugin the blast radius is enormous.

PHP object injection flaws rarely lead directly to code execution but they open the door. Modern WordPress sites load dozens of plugins, many of which define classes with magic methods such as __wakeup or __destruct. If any of those methods perform risky actions that an attacker can steer, the serialized payload becomes a weapon capable of writing files, executing shell commands or escalating privileges.

3. Technical Details - From Repeatable Fieldset to arbitrary code

The Repeatable Fieldset control stores submitted values as a serialized PHP string so that nested fields can keep their structure. In versions prior to 3.11.1 the plugin processed the field this way inside includes/Fields/Repeater.php:

if ( isset( $_POST[ $field_id ] ) ) {
    $data = $_POST[ $field_id ];
    $field_value = maybe_unserialize( $data ); // unsafe
}

maybe_unserialize calls unserialize on any string that starts with the serialized data markers a: O: or s:. That means attackers can bypass the intended plain-text storage format by sending any PHP object chain they like.

A minimal request looks like this:

POST /contact/ HTTP/1.1
Host: victim.blog
Content-Type: application/x-www-form-urlencoded

nf-field-12=O:8:"stdClass":0:{}

Ninja Forms unserializes the payload before it reaches any input validation hooks. If another plugin on the site registers a gadget that executes a system command when deserialized, the attacker has achieved remote code execution without authentication.

Gadget availability in real-world stacks

WordPress environments often include:

• WooCommerce (writes arbitrary files during certain object lifecycles)
• Monolog (invokes system through its ProcessHandler)
• PHPGGC gadget chains packaged by penetration testers

Any of these becomes a route to shell access once the object injection fires.

Why version 3.11.1 is safe

The patch converts the Repeatable Fieldset handler to treat the incoming value strictly as JSON:

$data = json_decode( stripslashes( $_POST[ $field_id ] ), true );

json_decode never executes code. If the value is not valid JSON the plugin drops the submission.

4. Impact - From database theft to site takeover

In the worst case an attacker gains the same filesystem and database privileges as the web server user, which on many shared hosts is effectively full control of the WordPress instance. Practical post-exploitation paths include:

• Installing a web shell to maintain persistent access
• Dumping the wp_users table to harvest password hashes and session cookies
• Pivoting to other sites on the same server via local inclusion or credential reuse
• Sending spam or malware from the compromised domain, damaging reputation

Because the exploit is unauthenticated, bots can crawl for vulnerable sites and attack at scale.

5. Remediation - How to protect your site

Upgrade Ninja Forms to 3.11.1 or a later version. The vendor shipped the fix as a routine update, so administrators using WordPress auto-updates may already be protected. To verify, open Plugins → Installed Plugins and confirm the version number.

If an immediate upgrade is impossible:

• Disable all public forms that use the Repeatable Fieldset element
• Deploy a Web Application Firewall that blocks requests containing serialized PHP tokens such as O: or a:
• Monitor wp-content/uploads and wp-includes for unexpected new files

Keep in mind that these measures only buy time and do not eliminate the root cause.

6. Timeline

7. References

• WPScan advisory: https://wpscan.com/vulnerability/60b4d7fc-5d23-4dcf-bd7f-e202cabc2625/
• Ninja Forms changelog: https://wordpress.org/plugins/ninja-forms/#developers
• PHPGGC gadget list for WordPress: https://github.com/ambionics/phpggc

About Volerion

Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the tradditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.

How the Volerion Risk Score Fits With CVSS, EPSS and KEV

At the time of writing:

• This CVE carries a 10.0 base score under CVSS 3.1, signalling maximum impact and trivial exploitation. CVSS captures technical severity but not likelihood.
• EPSS has not yet published a value. The absence of data is common for very recent disclosures and does not imply safety.
• The vulnerability is not present in CISA’s KEV catalog, so United States federal agencies are not yet under a binding directive to patch.

The Volerion Risk Score for CVE-2025-9083 is 8.4. That places it firmly in our critical band because the plugin is widely deployed and exploitation requires no credentials or user interaction, even though the official catalogs have not caught up.