Cyber Posture

CVE-2025-60084

High

Published: 18 December 2025

Published
18 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the deserialization flaw in the PDF for Elementor Forms plugin by identifying, prioritizing, and patching vulnerable versions <=6.5.0.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes untrusted input data at system entry points to block malicious payloads targeting the plugin's deserialization mechanism.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning detects the presence of this object injection vulnerability (CVE-2025-60084) in the WordPress plugin, enabling proactive patching.

Security SummaryAI

CVE-2025-60084 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin PDF for Elementor Forms + Drag And Drop Template Builder from add-ons.org. The flaw enables Object Injection and affects all versions from n/a through 6.5.0. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability can be exploited remotely over the network by an authenticated attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to severe consequences such as remote code execution through the object injection mechanism.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability?_s_id=cve provides details on the vulnerability, including mitigation recommendations for the affected plugin versions. Security practitioners should consult this reference for patching instructions and update to a non-vulnerable version where available.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Deserialization of untrusted data (CWE-502) in public-facing WordPress plugin enables remote code execution via object injection by low-privilege authenticated users, directly facilitating T1190 (Exploit Public-Facing Application) for initial access or execution and T1068 (Exploitation for Privilege Escalation) due to escalation from low privileges to high-impact C/I/A.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References