Description
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Published: 2025-12-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin suffers from deserialization of untrusted data, allowing an attacker to inject crafted PHP objects that are unserialized by the application. This object injection can lead to the execution of arbitrary code, thereby compromising the confidentiality, integrity, and availability of the host system. The weakness is a classic deserialization vulnerability classified as CWE-502.

Affected Systems

WordPress sites that have installed the add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder plugin, from the earliest release up through version 6.5.0. Any site using this plugin in those versions is potentially exposed and must verify or update their plugin installation.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score of less than 1% suggests that industry-wide exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a remote requester able to trigger the plugin’s deserialization routine, such as through crafted form submissions or direct API calls. If successful, the attacker could gain full control over the affected WordPress site.

Generated by OpenCVE AI on April 29, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PDF for Elementor Forms + Drag And Drop Template Builder plugin to the latest version that removes the deserialization flaw.
  • If an upgrade is not immediately feasible, disable or uninstall the plugin to remove the attack surface until a patch can be applied.
  • Apply WordPress hardening best practices, such as restricting PHP execution in plugin directories and using input validation or serialization guards to prevent future injection vulnerabilities.

Generated by OpenCVE AI on April 29, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1. Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Title WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - PHP Object Injection vulnerability WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.5.0 - PHP Object Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Add-ons.org
Add-ons.org pdf-for-elementor-forms
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Add-ons.org
Add-ons.org pdf-for-elementor-forms
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.
Title WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Add-ons.org Pdf-for-elementor-forms
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.192Z

Reserved: 2025-09-25T15:20:02.782Z

Link: CVE-2025-60084

cve-icon Vulnrichment

Updated: 2025-12-18T14:48:05.157Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:08.700

Modified: 2026-04-27T16:16:32.037

Link: CVE-2025-60084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses