CVE-2025-9083: 
WordPress vulnerability analysis and mitigation

The Ninja Forms WordPress plugin before version 3.11.1 contains a PHP Object Injection vulnerability identified as CVE-2025-9083. The vulnerability was discovered on August 28, 2025, and allows unauthenticated users to perform PHP Object Injection through unserialized user input via form fields (WPScan).

The vulnerability stems from the plugin's handling of user input in form fields, specifically in the Repeatable Fieldset functionality. The issue occurs when the plugin processes submitted values through the maybe_unserialize() function without proper validation. The vulnerability has received a CVSS 3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

While the vulnerability itself requires a suitable PHP Object Injection gadget to be present on the target system, if such a gadget exists, attackers could potentially perform various malicious actions. These actions may include deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the available POP chain (Rapid7).

The vulnerability has been patched in Ninja Forms version 3.11.1. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).