What is the CVSS score of CVE-2025-60084?

CVE-2025-60084 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PDF for Elementor Forms are affected by CVE-2025-60084?

The PDF for Elementor Forms plugin (versions up to 6.5.0) contains a critical object injection vulnerability that permits authenticated users to execute arbitrary code on WordPress sites.

How to fix or mitigate CVE-2025-60084?

Within 24 hours: Identify all WordPress instances running PDF for Elementor Forms plugin version 6.5.0 or earlier and document active user accounts with edit/admin roles. Within 7 days: Disable the plugin entirely as no patch is available, or restrict plugin functionality to trusted administrators only via role-based access controls; monitor user activity logs for suspicious serialized object patterns in form submissions. Within 30 days: Transition to an alternative PDF form solution with active security maintenance and conduct a code review of any custom integrations with the plugin.

PDF for Elementor Forms CVE-2025-60084

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-12-18 audit@patchstack.com

Deserialization

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 24, 2026 - 00:15 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

CVSS changed

Apr 23, 2026 - 15:43 NVD

8.6 (HIGH) 8.8 (HIGH)

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 18, 2025 - 08:16 nvd

HIGH 8.6

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.

AnalysisAI

PHP object injection in PDF for Elementor Forms plugin through version 6.5.0 allows authenticated attackers to execute arbitrary code or manipulate application logic via deserialization of untrusted data. While CVSS scores this 8.8 (High), real-world risk is tempered by authentication requirement (PR:L) and low EPSS score (0.06%, 19th percentile), indicating minimal observed exploitation attempts. No CISA KEV listing or public exploit code identified, suggesting attacks remain theoretical rather than widespread.

Technical ContextAI

This vulnerability stems from unsafe PHP deserialization (CWE-502) in the PDF for Elementor Forms WordPress plugin, which generates PDF documents from Elementor form submissions. PHP's unserialize() function can instantiate arbitrary objects when processing untrusted input, enabling attackers to trigger magic methods (__wakeup, __destruct) on existing classes in the WordPress environment. The plugin likely deserializes user-controlled data from form submissions or template configurations without proper validation. Affected component: add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder (wordpress-pdf-for-elementor-forms) versions up to and including 6.5.0. The Patchstack reference indicates this was identified through security audit rather than active exploitation.

Affected ProductsAI

Affected product: PDF for Elementor Forms + Drag And Drop Template Builder WordPress plugin (developed by add-ons.org) versions from earliest release through 6.5.0 inclusive. Vulnerability disclosed by Patchstack audit team. No vendor CPE string available in NVD data. Patchstack database entry: https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability (note URL references 6.3.1 but CVE states 6.5.0 as latest affected version).

RemediationAI

Primary fix: Upgrade to PDF for Elementor Forms version 6.5.1 or later if available (verify current patched version at WordPress.org plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability). Immediate compensating controls if patch unavailable: restrict WordPress user account creation and review existing non-admin accounts, as exploitation requires authenticated access (PR:L). Remove or deactivate the plugin entirely if PDF generation from Elementor forms is not business-critical. Monitor WordPress audit logs for unusual form submission patterns or template modifications by low-privilege users. Note: Restricting user accounts trades functionality (legitimate user access) for security and may impact sites relying on subscriber/contributor roles.

CVE-2025-60084 vulnerability details – vuln.today

Back

PDF for Elementor Forms CVE-2025-60084

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code