Attack Vectors
CVE-2025-60080 is a High-severity vulnerability (CVSS 7.5) affecting the WordPress plugin PDF for Gravity Forms + Drag And Drop Template Builder (slug: pdf-for-gravity-forms) in versions 6.5.0 and below.
The attack requires an authenticated WordPress account with Subscriber-level access (or higher). In practical terms, this means organizations that allow user registration, provide customer/member logins, or grant basic accounts to partners or contractors may have a wider attack surface than expected.
This issue is reachable over the network and does not require user interaction once the attacker is logged in, which increases business risk if low-privilege accounts are easy to obtain (for example, through credential reuse, password spraying, or abuse of open registration workflows).
Security Weakness
The weakness is tied to deserialization of untrusted input, enabling PHP Object Injection in affected versions of PDF for Gravity Forms + Drag And Drop Template Builder up to 6.5.0.
Importantly, the vulnerable plugin itself has no known “POP chain” available. However, if your WordPress site also has another plugin or theme installed that provides a usable chain, this vulnerability could be leveraged for more severe outcomes.
This matters from a governance standpoint because WordPress sites often run multiple plugins and custom themes, so risk depends on the full ecosystem—not just this single component.
Technical or Business Impacts
If exploited in a site where an appropriate POP chain exists (via another plugin or theme), the attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code. For business leaders, these translate into real-world impacts such as site defacement, service disruption, loss of customer or lead information, and potential exposure of internal documents generated through forms and PDFs.
For marketing and revenue teams, downtime or loss of website integrity can directly affect lead generation, campaign performance, and brand trust. For compliance and executive stakeholders, potential data access or tampering can trigger incident response costs, regulatory notifications (depending on data involved), and contractual or vendor-risk consequences.
Remediation is straightforward: update PDF for Gravity Forms + Drag And Drop Template Builder to version 6.5.1 or newer, which is the patched release.
Similar Attacks
PHP object injection and unsafe deserialization issues have been used in multiple high-profile compromises across web platforms. For context, here are a few real examples of deserialization-related vulnerabilities that were widely discussed and exploited in other ecosystems:
Recent Comments