CVE-2025-60081

HIGH
2025-12-18 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 18, 2025 - 08:16 nvd
HIGH 8.8

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.5.0.

Analysis

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

Technical Context

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data) in the PDF for Contact Form 7 WordPress plugin. PHP's unserialize() function, when processing untrusted input, can instantiate arbitrary objects and trigger magic methods (__wakeup, __destruct, __toString) leading to Object Injection attacks. In WordPress environments, this primitive can chain with existing classes (POP chains) to achieve remote code execution, file manipulation, or database corruption. The plugin processes PDF generation requests tied to Contact Form 7 submissions, likely deserializing configuration or form data without proper validation. The affected component is developed by add-ons.org and integrates with the popular Contact Form 7 plugin ecosystem, expanding the attack surface to any WordPress installation using this PDF generation functionality.

Affected Products

WordPress plugin PDF for Contact Form 7 developed by add-ons.org, affecting all versions from initial release through version 6.5.0 inclusive. The vulnerability exists in the core deserialization handling logic used for PDF generation tied to Contact Form 7 form submissions. Installations running version 6.5.0 or earlier are vulnerable. Patchstack vulnerability database entry available at https://patchstack.com/database/Wordpress/Plugin/pdf-for-contact-form-7/vulnerability/wordpress-pdf-for-contact-form-7-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve provides additional technical details and exploitation indicators.

Remediation

Upgrade PDF for Contact Form 7 plugin to the latest patched version immediately. While the input data specifies vulnerability through version 6.5.0, the exact fixed version number is not independently confirmed in available data-consult the WordPress plugin repository or vendor advisory for the specific release containing the deserialization fix. Navigate to WordPress admin dashboard, select Plugins, locate PDF for Contact Form 7, and apply available updates. If immediate patching is not feasible, implement defense-in-depth controls: restrict plugin access to only trusted administrator accounts, monitor PHP error logs for unserialize() warnings, and consider Web Application Firewall rules blocking suspicious POST payloads to Contact Form 7 endpoints. Review user roles and minimize accounts with plugin configuration privileges. Patchstack reference URL provides proof-of-concept details that can inform detection rule development for intrusion detection systems.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-60081 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy