CVE-2025-60084
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Analysis
PHP object injection in PDF for Elementor Forms WordPress plugin (versions ≤6.5.0) enables unauthenticated remote attackers to execute arbitrary code or manipulate application state through unsafe deserialization of user-controlled data. EPSS probability is low (0.06%, 19th percentile), and no public exploit identified at time of analysis. However, the unauthenticated remote attack vector (CVSS AV:N/PR:N) and high confidentiality impact warrant immediate patching for sites using this plugin.
Technical Context
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data) in the PDF for Elementor Forms WordPress plugin, which provides PDF generation and form-building capabilities for Elementor page builder. PHP object injection occurs when an application unserializes user-supplied data without proper validation, allowing attackers to instantiate arbitrary PHP objects. If the application or its dependencies contain classes with exploitable magic methods (__wakeup, __destruct, __toString), attackers can chain these to achieve remote code execution, SQL injection, file manipulation, or authentication bypass. The plugin processes form submissions and PDF generation requests, likely deserializing configuration or template data from HTTP requests. Without input sanitization on the unserialize() call, attackers can inject malicious serialized PHP objects. The affected product is identified as the pdf-for-elementor-forms WordPress plugin published by add-ons.org, with all versions through 6.5.0 confirmed vulnerable.
Affected Products
The vulnerability affects PDF for Elementor Forms + Drag And Drop Template Builder, a WordPress plugin published by add-ons.org. All versions from the initial release through version 6.5.0 are confirmed vulnerable. The plugin integrates with Elementor page builder to provide PDF generation capabilities for form submissions. Organizations using this plugin on WordPress sites should verify their installed version through the WordPress admin dashboard under Plugins. The Patchstack reference indicates version 6.3.1 was previously identified with this vulnerability class, suggesting the issue has persisted across multiple releases. Sites running any version at or below 6.5.0 should be considered affected.
Remediation
Upstream fix available (PR/commit); released patched version not independently confirmed. According to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability?_s_id=cve, administrators should update to the latest version of PDF for Elementor Forms plugin immediately. If immediate patching is not feasible, temporary mitigations include disabling the plugin until updates are applied, implementing web application firewall (WAF) rules to filter serialized PHP objects in POST/GET parameters (look for patterns like 'O:' followed by integers indicating object serialization), restricting plugin access to authenticated administrators only, or replacing the plugin with alternative PDF generation solutions. For WordPress sites using security plugins like Wordfence or Patchstack, ensure virtual patching rules are enabled to block object injection attempts. Review server logs for suspicious POST requests containing serialized data patterns as indicators of exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today