Cyber Resilience

CVE-2025-9083

CriticalPublic PoCRCE

Published: 18 September 2025

Published
18 September 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 67.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9083 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Ninjaforms Ninja Forms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9083, published on 2025-09-18, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the Ninja Forms WordPress plugin in versions before 3.11.1. The issue arises from the plugin unserializing user-supplied input via form fields, enabling PHP Object Injection (CWE-502) when a suitable gadget chain is present on the target blog.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. Exploitation allows attackers to inject malicious serialized objects, potentially leading to severe impacts on confidentiality, integrity, and availability, such as remote code execution if exploitable gadgets exist in the environment.

WPScan advisories recommend updating the Ninja Forms plugin to version 3.11.1 or later to mitigate the vulnerability, as detailed in their vulnerability report.

EU & UK References

Vulnerability details

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote PHP object injection in public-facing WordPress plugin directly enables T1190 for RCE via deserialization gadgets.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502
CVE-2026-40044Shared CWE-502

Affected Assets

ninjaforms
ninja forms
≤ 3.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of vendor patches, such as updating Ninja Forms to version 3.11.1 to fix unsafe unserialization of user input.

prevent

Validates and sanitizes user-supplied form field inputs to block malicious serialized PHP objects before unserialization occurs.

prevent

Restricts form field inputs to prohibit serialized data types or payloads that could enable PHP Object Injection when unserialized.

References