What is the CVSS score of CVE-2025-60083?

CVE-2025-60083 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Woocommerce are affected by CVE-2025-60083?

CVE-2025-60083 affects the PDF Invoice Builder for WooCommerce plugin (versions through 6.5.0), allowing authenticated users with low privileges to execute arbitrary PHP code through unsafe object…

How to fix or mitigate CVE-2025-60083?

Within 24 hours: Audit all installations of PDF Invoice Builder for WooCommerce and document current versions; restrict user role permissions to limit low-privilege account creation; enable Web Application Firewall (WAF) rules to block suspicious deserialization attempts. Within 7 days: Disable the plugin if non-critical, or isolate affected WooCommerce instances to restricted network segments; implement comprehensive logging on all plugin API endpoints. Within 30 days: Monitor vendor advisories for patch release; evaluate alternative PDF invoice plugins with security-first architecture; conduct access review of all accounts with authenticated privileges.

Woocommerce CVE-2025-60083

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-12-18 audit@patchstack.com

WordPress Woocommerce PHP Deserialization

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 18, 2025 - 08:16 nvd

HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 6.5.0.

AnalysisAI

Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), where the PDF Invoice Builder WordPress plugin fails to properly validate or sanitize serialized data before passing it to PHP's unserialize() function. PHP object injection occurs when untrusted data is deserialized, allowing attackers to instantiate arbitrary classes with controlled properties. In WordPress environments, this often leads to remote code execution by leveraging magic methods (__wakeup, __destruct, __toString) in existing classes to create exploit chains. The plugin processes WooCommerce invoice data, likely deserializing user-controllable input from database records or API parameters without proper input validation. Given this is a WordPress plugin vulnerability, the attack surface involves authenticated plugin functionality, potentially invoice customization features or data import mechanisms.

Affected ProductsAI

The vulnerability affects PDF Invoice Builder for WooCommerce plugin developed by add-ons.org, impacting all versions from initial release through version 6.5.0 inclusive. This WordPress plugin integrates with WooCommerce e-commerce platforms to generate customizable PDF invoices. Organizations running WordPress sites with WooCommerce stores using this plugin for invoice generation, packing slips, or delivery notes should consider themselves affected. The vendor advisory and technical details are available through Patchstack's vulnerability database at https://patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoice-builder-for-woocommerce-plugin-6-3-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve, which provides additional context on the object injection mechanism.

RemediationAI

Upgrade PDF Invoice Builder for WooCommerce plugin to version 6.5.1 or later if available, verifying the vendor has addressed the deserialization vulnerability through input validation improvements or removal of unsafe unserialize() calls. Check the official WordPress plugin repository or add-ons.org vendor site for the latest patched release. As an interim mitigation, restrict plugin access to only highly trusted administrator accounts, review user role capabilities to minimize low-privilege access to invoice customization features, and implement Web Application Firewall (WAF) rules to detect and block serialized PHP object patterns in POST parameters. Monitor WordPress access logs for suspicious invoice-related requests containing serialized data indicators (strings beginning with O: or a: followed by curly braces). Organizations unable to patch immediately should consider temporarily disabling the plugin if invoice generation functionality is non-critical, or implementing network segmentation to isolate WooCommerce administrative interfaces. Consult the Patchstack advisory for vendor-specific remediation guidance and validate patch effectiveness through testing in non-production environments before deployment.

CVE-2025-60083 vulnerability details – vuln.today

Back

Woocommerce CVE-2025-60083

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code