Attack Vectors

The WordPress plugin PDF for Elementor Forms + Drag And Drop Template Builder (slug: pdf-for-elementor-forms) has a High-severity vulnerability (CVE-2025-60084, CVSS 7.5) that can be targeted over the network. The issue affects versions up to and including 6.5.0.

The primary risk comes from an attacker who can log in with a low-privilege account—specifically subscriber-level access or higher. In practical terms, this means any environment that allows user registrations, partner logins, or broad account creation may have a larger potential attack surface.

While exploitation requires authentication and the CVSS indicates higher attack complexity, the business concern is that attackers often start with low-level accounts (or obtain them through password reuse, credential stuffing, or compromised users) and then move to higher-impact actions.

Security Weakness

CVE-2025-60084 is a PHP Object Injection weakness caused by deserialization of untrusted input in PDF for Elementor Forms + Drag And Drop Template Builder through version 6.5.0.

By sending specially crafted input, an authenticated attacker may be able to inject a PHP object into the application’s runtime. The vulnerability note is important: no known POP (Property-Oriented Programming) chain is present in the vulnerable software. However, if a POP chain exists elsewhere in the WordPress environment (for example, introduced by another plugin or theme), this issue can become much more damaging.

Remediation is straightforward: update to version 6.5.1 or newer, which is identified as the patched release.

Technical or Business Impacts

For business leaders, this vulnerability should be treated as a material risk because it can be leveraged—under the right conditions—to cause high-impact outcomes. If an exploitable POP chain is available via other installed components, attackers could potentially retrieve sensitive data, delete arbitrary files, or even execute code on the site.

Business impacts may include exposure of customer or lead data, disruption of marketing operations (site downtime, broken forms, lost campaigns), reputational harm, and potential compliance and reporting obligations depending on what data is accessible.

Even if no POP chain is currently present, leaving the vulnerable version in place increases risk over time. WordPress sites change frequently—new plugins, theme updates, and integrations can unintentionally introduce the conditions that turn an injection weakness into a full compromise.

Similar Attacks

Object injection and related deserialization flaws have been used in real-world incidents to escalate access and compromise WordPress environments. Examples include:

Elementor Pro vulnerability coverage (Wordfence)

WP Live Chat Support vulnerability coverage (Wordfence)

WooCommerce Payments vulnerability coverage (Wordfence)