Description
The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-09-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload potentially enabling Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from the Embed PDF for WPForms plugin’s ajax_handler_download_pdf_media function, which lacks file type validation. This omission allows an authenticated user with Subscriber-level access or higher to upload any file type. Once on the server, a malicious file could be executed, leading to remote code execution. The weakness is categorized as CWE‑434, which is a file upload flaw that permits execution of arbitrary code.

Affected Systems

The affected product is the Embed PDF for WPForms plugin developed by salzano. All releases up to and including 1.1.5 of the plugin are vulnerable. The flaw is exploitable on WordPress installations that have the plugin installed and allow Subscriber accounts (or higher) to use the PDF upload feature.

Risk and Exploitability

The CVSS score of 8.8 marks this issue as High severity. However, the EPSS score is reported as lower than 1%, indicating a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because the attack requires legitimate Subscriber credentials and exploitation occurs via an AJAX endpoint, the risk is mitigated by the need for authenticated access but remains significant if such accounts exist on the site. Proper restriction or patching is advised to eliminate the threat.

Generated by OpenCVE AI on April 21, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Embed PDF for WPForms plugin to the latest version (≥1.1.6) that adds proper file type validation to the upload handler.
  • If an immediate upgrade is not possible, restrict the upload functionality by disabling the ajax_handler_download_pdf_media endpoint or limiting allowed MIME types using WordPress security plugins or custom code; this serves as a temporary workaround to prevent arbitrary file uploads.
  • Audit all Subscriber accounts to ensure that only those who legitimately need access for form creation retain the capability; downgrade or remove unnecessary roles to reduce the attack surface.

Generated by OpenCVE AI on April 21, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30304 The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Salzano
Salzano embed Pdf For Wpforms Plugin
Wordpress
Wordpress wordpress
Vendors & Products Salzano
Salzano embed Pdf For Wpforms Plugin
Wordpress
Wordpress wordpress

Fri, 19 Sep 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 19 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Embed PDF for WPForms <= 1.1.5 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Salzano Embed Pdf For Wpforms Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:35.590Z

Reserved: 2025-09-17T18:04:48.301Z

Link: CVE-2025-10647

cve-icon Vulnrichment

Updated: 2025-09-19T11:46:36.032Z

cve-icon NVD

Status : Deferred

Published: 2025-09-19T09:15:33.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses