A serious security vulnerability has been discovered in Fluent Forms, a popular WordPress plugin with over 600,000 active installations. The issue, known as a PHP Object Injection vulnerability. It allows attackers with minimal access to read sensitive files on affected websites.
The vulnerability affects Fluent Forms versions 5.1.16 to 6.1.1. It can be exploited through the plugin’s parseUserProperties() function. This function unserializes user-provided data, which means an attacker can inject a malicious PHP object.
If successfully exploited, attackers could access critical files like wp-config.php, which contains database credentials and security keys. On servers with certain configurations, remote code execution is also possible.
The vulnerability has been assigned CVE-2025-9260 and carries a medium CVSS rating of 6.5.
PHP Object Injection occurs when serialized data is processed without proper validation. Serialized data can include PHP objects, and if a plugin unserializes it incorrectly, an attacker can manipulate the process.
Fluent Forms also contains a POP chain, which allows attackers to read arbitrary files. Even users with Subscriber-level access can exploit this flaw.
The vulnerability was discovered by security researcher Webbernaut through the Wordfence Bug Bounty Program. The researcher received a $1,729 bounty for responsibly reporting it.
The fully version 6.1.2 was released on August 29, 2025. The patch uses a safe unserialize function to ensure that objects containing PHP classes cannot be injected. This fixes the vulnerability completely.
All Wordfence users, including those using Premium, Care, Response, or the free version, are automatically protected by the firewall’s built-in Generic Object Injection protection.
WordPress users are strongly urged to update Fluent Forms to version 6.1.2 immediately. Sites running older versions remain at risk of attacks that can expose sensitive files and site credentials.
