CVE-2025-60082
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.5.0.
Analysis
Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.
Technical Context
This vulnerability stems from unsafe deserialization of untrusted data (CWE-502) in the PDF for WPForms WordPress plugin, which generates PDF documents from WPForms submissions. PHP deserialization flaws occur when user-controlled data is passed to unserialize() without proper validation. Attackers can craft malicious serialized objects containing POP (Property-Oriented Programming) chains that trigger arbitrary method calls during the deserialization process. The affected product is identified as WordPress plugin 'pdf-for-wpforms' from add-ons.org, with all versions through 6.5.0 vulnerable. Deserialization vulnerabilities in WordPress plugins are particularly dangerous because PHP's object instantiation process can invoke magic methods (__wakeup, __destruct, __toString) automatically, enabling code execution even without direct function calls.
Affected Products
The vulnerability affects the PDF for WPForms plugin distributed by add-ons.org for WordPress installations. All versions from the plugin's initial release through version 6.5.0 are confirmed vulnerable. This plugin extends WPForms functionality by generating PDF documents from form submissions, commonly used in business workflows for invoices, receipts, and automated document generation. Organizations running WordPress sites with this plugin installed should verify their version immediately. The Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability identifies the specific product context.
Remediation
Site administrators should upgrade PDF for WPForms to version 6.5.1 or later if a patched release has been issued by add-ons.org. Verify the current installed version through WordPress admin panel (Plugins section) and apply updates immediately. As an interim mitigation measure while awaiting patches, restrict plugin access to only fully trusted administrator accounts by reviewing WordPress user roles and removing unnecessary privileges. Audit server logs for suspicious POST requests to plugin endpoints that may indicate exploitation attempts. Consider temporarily disabling the plugin if PDF generation functionality is not business-critical until patches are confirmed available. Monitor the Patchstack reference at https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability for vendor patch release notifications and additional technical details.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today