CVE-2025-9083
Published: 18 September 2025
Summary
CVE-2025-9083 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Ninjaforms Ninja Forms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9083, published on 2025-09-18, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the Ninja Forms WordPress plugin in versions before 3.11.1. The issue arises from the plugin unserializing user-supplied input via form fields, enabling PHP Object Injection (CWE-502) when a suitable gadget chain is present on the target blog.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. Exploitation allows attackers to inject malicious serialized objects, potentially leading to severe impacts on confidentiality, integrity, and availability, such as remote code execution if exploitable gadgets exist in the environment.
WPScan advisories recommend updating the Ninja Forms plugin to version 3.11.1 or later to mitigate the vulnerability, as detailed in their vulnerability report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29844
Vulnerability details
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote PHP object injection in public-facing WordPress plugin directly enables T1190 for RCE via deserialization gadgets.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely application of vendor patches, such as updating Ninja Forms to version 3.11.1 to fix unsafe unserialization of user input.
Validates and sanitizes user-supplied form field inputs to block malicious serialized PHP objects before unserialization occurs.
Restricts form field inputs to prohibit serialized data types or payloads that could enable PHP Object Injection when unserialized.