CVE-2025-60082
Published: 18 December 2025
Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.5.0.
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the deserialization vulnerability by requiring timely patching of the affected PDF for WPForms plugin versions up to 6.5.0.
Information input validation enforces checks on untrusted data prior to deserialization, preventing object injection exploitation in the plugin.
Vulnerability monitoring and scanning detects the presence of the vulnerable PDF for WPForms plugin version, enabling proactive remediation.
Security SummaryAI
CVE-2025-60082 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the PDF for WPForms plugin (pdf-for-wpforms) from add-ons.org, which allows Object Injection. The issue affects the plugin from n/a through version 6.5.0 and was published on 2025-12-18.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low privileges, such as an authenticated WordPress user, can exploit it over the network with low attack complexity and no user interaction required, potentially resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization of untrusted data (Object Injection) in a WordPress plugin enables remote code execution by exploiting a public-facing web application.