Skip to main content

CVE-2025-53990

HIGH
Deserialization of Untrusted Data (CWE-502)
2025-07-16 audit@patchstack.com
Deserialization
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
7.2 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Object Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.1.2.

AnalysisAI

Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.

Technical ContextAI

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical class of flaw where PHP's unserialize() function or similar mechanisms process user-controlled data without proper validation. When an attacker-controlled serialized object is deserialized by the application, the PHP magic methods (__wakeup, __destruct, __toString, etc.) of any gadget chain in the codebase are automatically invoked, potentially leading to arbitrary code execution. JetFormBuilder, a WordPress plugin (CPE would be cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:wordpress:*:*), implements form-building functionality that likely processes form data or configuration through serialized PHP objects without adequate sanitization or type checking.

Affected ProductsAI

JetFormBuilder by jetmonsters, all versions from initial release through 3.5.1.2 (inclusive). The plugin is distributed via WordPress.org plugin repository. Organizations running JetFormBuilder version 3.5.1.2 or earlier should be considered in scope. Exact CPE: cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:wordpress:*:* with upper bound 3.5.1.2.

RemediationAI

Update JetFormBuilder to a version newer than 3.5.1.2 immediately. Check the Patchstack database and WordPress.org plugin repository for the latest patched release. If an update is not yet available from the vendor, disable or deactivate JetFormBuilder until a fix is released. Review form submissions and any configuration data that may have been processed by the plugin during the exposure window. Audit user roles and capabilities to ensure that form data input is restricted to trusted administrators only. The vulnerability report is available at https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-1-2-php-object-injection-vulnerability?_s_id=cve for further details and vendor patch availability confirmation.

Share

CVE-2025-53990 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy