What is the CVSS score of CVE-2025-60080?

CVE-2025-60080 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-60080?

Gravity Forms and Drag And Drop Template Builder versions up to 6.5.0 contain a PHP object injection vulnerability that allows low-privilege authenticated users to execute arbitrary code on affected…

How to fix or mitigate CVE-2025-60080?

Within 24 hours: Identify all WordPress instances running Gravity Forms + Drag And Drop Template Builder versions ≤6.5.0 and document current user roles/permissions. Within 7 days: Restrict low-privilege user account creation and review existing low-privilege user access; contact vendor for patch timeline and consider temporarily disabling the plugin if business-critical. Within 30 days: Apply vendor-released patch immediately upon availability (monitor plugin release notes for versions >6.5.0) and conduct code audit on any affected installations.

PHP CVE-2025-60080

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-12-18 audit@patchstack.com

WordPress PHP Deserialization

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 18, 2025 - 08:16 nvd

HIGH 7.5

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.

AnalysisAI

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical weakness where applications deserialize PHP objects from untrusted sources without proper validation. PHP's unserialize() function can instantiate arbitrary classes and trigger magic methods (__wakeup, __destruct, __toString), enabling attackers to chain existing code into dangerous operations. The PDF for Gravity Forms plugin, which integrates with Gravity Forms to generate PDF documents using drag-and-drop templates, accepts serialized data from authenticated users without sanitization. This WordPress plugin operates within the WordPress PHP environment, where numerous gadget chains may exist in the core framework or other installed plugins, potentially escalating object injection to remote code execution, SQL injection, or file system manipulation depending on available classes in the application context.

Affected ProductsAI

The vulnerability affects add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder WordPress plugin versions from an unspecified starting point through version 6.5.0 inclusive. This plugin extends Gravity Forms functionality to generate customizable PDF documents from form submissions using a visual template builder. The Patchstack database reference (https://patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/) identifies the WordPress plugin ecosystem as the deployment environment. Organizations running WordPress installations with this plugin installed in versions 6.5.0 or earlier should consider themselves affected, particularly if low-privilege users have access to plugin configuration interfaces or form submission workflows that process serialized data.

RemediationAI

Organizations should upgrade PDF for Gravity Forms + Drag And Drop Template Builder to a version newer than 6.5.0 as recommended by Patchstack's vulnerability disclosure. Consult the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/vulnerability/wordpress-pdf-for-gravity-forms-drag-and-drop-template-builder-plugin-6-3-0-php-object-injection-vulnerability for specific patched version details and update instructions. As an interim mitigation, restrict plugin access to only fully trusted administrator accounts, review WordPress user roles to ensure principle of least privilege, and audit any custom code or integrations that pass user-controlled data to the plugin's deserialization functions. Consider implementing Web Application Firewall (WAF) rules to detect serialized PHP object patterns in POST requests to plugin endpoints. Monitor WordPress access logs for unusual authenticated activity targeting PDF generation endpoints.