CVE-2025-53990

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Object Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.1.2.

Analysis

Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.

Technical Context

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical class of flaw where PHP's unserialize() function or similar mechanisms process user-controlled data without proper validation. When an attacker-controlled serialized object is deserialized by the application, the PHP magic methods (__wakeup, __destruct, __toString, etc.) of any gadget chain in the codebase are automatically invoked, potentially leading to arbitrary code execution. JetFormBuilder, a WordPress plugin (CPE would be cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:wordpress:*:*), implements form-building functionality that likely processes form data or configuration through serialized PHP objects without adequate sanitization or type checking.

Affected Products

JetFormBuilder by jetmonsters, all versions from initial release through 3.5.1.2 (inclusive). The plugin is distributed via WordPress.org plugin repository. Organizations running JetFormBuilder version 3.5.1.2 or earlier should be considered in scope. Exact CPE: cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:wordpress:*:* with upper bound 3.5.1.2.

Remediation

Update JetFormBuilder to a version newer than 3.5.1.2 immediately. Check the Patchstack database and WordPress.org plugin repository for the latest patched release. If an update is not yet available from the vendor, disable or deactivate JetFormBuilder until a fix is released. Review form submissions and any configuration data that may have been processed by the plugin during the exposure window. Audit user roles and capabilities to ensure that form data input is restricted to trusted administrators only. The vulnerability report is available at https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-1-2-php-object-injection-vulnerability?_s_id=cve for further details and vendor patch availability confirmation.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-53990 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy