What is the CVSS score of CVE-2025-60081?

CVE-2025-60081 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-60081?

CVE-2025-60081 affects Contact Form 7's PDF extension (versions ≤6.5.0) and allows authenticated users with low privileges to inject malicious code through unsafe deserialization, potentially…

How to fix or mitigate CVE-2025-60081?

Within 24 hours: Disable the PDF for Contact Form 7 plugin or restrict admin access to authenticated users only; audit WordPress user accounts and remove unnecessary low-privilege accounts. Within 7 days: Contact plugin vendor or monitor Patchstack for patched version availability (target: Contact Form 7 version >6.5.0 when released); test plugin update in staging environment. Within 30 days: Deploy patched plugin version to production; review form submission logs for suspicious activity dating back 30 days; implement Web Application Firewall rules to detect deserialization attacks if available.

PHP CVE-2025-60081

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-12-18 audit@patchstack.com

WordPress PHP Deserialization

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 18, 2025 - 08:16 nvd

HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.5.0.

AnalysisAI

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data) in the PDF for Contact Form 7 WordPress plugin. PHP's unserialize() function, when processing untrusted input, can instantiate arbitrary objects and trigger magic methods (__wakeup, __destruct, __toString) leading to Object Injection attacks. In WordPress environments, this primitive can chain with existing classes (POP chains) to achieve remote code execution, file manipulation, or database corruption. The plugin processes PDF generation requests tied to Contact Form 7 submissions, likely deserializing configuration or form data without proper validation. The affected component is developed by add-ons.org and integrates with the popular Contact Form 7 plugin ecosystem, expanding the attack surface to any WordPress installation using this PDF generation functionality.

Affected ProductsAI

WordPress plugin PDF for Contact Form 7 developed by add-ons.org, affecting all versions from initial release through version 6.5.0 inclusive. The vulnerability exists in the core deserialization handling logic used for PDF generation tied to Contact Form 7 form submissions. Installations running version 6.5.0 or earlier are vulnerable. Patchstack vulnerability database entry available at https://patchstack.com/database/Wordpress/Plugin/pdf-for-contact-form-7/vulnerability/wordpress-pdf-for-contact-form-7-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve provides additional technical details and exploitation indicators.

RemediationAI

Upgrade PDF for Contact Form 7 plugin to the latest patched version immediately. While the input data specifies vulnerability through version 6.5.0, the exact fixed version number is not independently confirmed in available data-consult the WordPress plugin repository or vendor advisory for the specific release containing the deserialization fix. Navigate to WordPress admin dashboard, select Plugins, locate PDF for Contact Form 7, and apply available updates. If immediate patching is not feasible, implement defense-in-depth controls: restrict plugin access to only trusted administrator accounts, monitor PHP error logs for unserialize() warnings, and consider Web Application Firewall rules blocking suspicious POST payloads to Contact Form 7 endpoints. Review user roles and minimize accounts with plugin configuration privileges. Patchstack reference URL provides proof-of-concept details that can inform detection rule development for intrusion detection systems.