CVE-2025-60080
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Analysis
PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).
Technical Context
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical weakness where applications deserialize PHP objects from untrusted sources without proper validation. PHP's unserialize() function can instantiate arbitrary classes and trigger magic methods (__wakeup, __destruct, __toString), enabling attackers to chain existing code into dangerous operations. The PDF for Gravity Forms plugin, which integrates with Gravity Forms to generate PDF documents using drag-and-drop templates, accepts serialized data from authenticated users without sanitization. This WordPress plugin operates within the WordPress PHP environment, where numerous gadget chains may exist in the core framework or other installed plugins, potentially escalating object injection to remote code execution, SQL injection, or file system manipulation depending on available classes in the application context.
Affected Products
The vulnerability affects add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder WordPress plugin versions from an unspecified starting point through version 6.5.0 inclusive. This plugin extends Gravity Forms functionality to generate customizable PDF documents from form submissions using a visual template builder. The Patchstack database reference (https://patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/) identifies the WordPress plugin ecosystem as the deployment environment. Organizations running WordPress installations with this plugin installed in versions 6.5.0 or earlier should consider themselves affected, particularly if low-privilege users have access to plugin configuration interfaces or form submission workflows that process serialized data.
Remediation
Organizations should upgrade PDF for Gravity Forms + Drag And Drop Template Builder to a version newer than 6.5.0 as recommended by Patchstack's vulnerability disclosure. Consult the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/vulnerability/wordpress-pdf-for-gravity-forms-drag-and-drop-template-builder-plugin-6-3-0-php-object-injection-vulnerability for specific patched version details and update instructions. As an interim mitigation, restrict plugin access to only fully trusted administrator accounts, review WordPress user roles to ensure principle of least privilege, and audit any custom code or integrations that pass user-controlled data to the plugin's deserialization functions. Consider implementing Web Application Firewall (WAF) rules to detect serialized PHP object patterns in POST requests to plugin endpoints. Monitor WordPress access logs for unusual authenticated activity targeting PDF generation endpoints.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today