Cyber Resilience

CVE-2025-60082

HighRCE

Published: 18 December 2025

Published
18 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60082 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-60082 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the PDF for WPForms plugin (pdf-for-wpforms) from add-ons.org, which allows Object Injection. The issue affects the plugin from n/a through version 6.5.0 and was published on 2025-12-18.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low privileges, such as an authenticated WordPress user, can exploit it over the network with low attack complexity and no user interaction required, potentially resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization of untrusted data (Object Injection) in a WordPress plugin enables remote code execution by exploiting a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42779Shared CWE-502
CVE-2025-69099Shared CWE-502
CVE-2024-49688Shared CWE-502
CVE-2026-32512Shared CWE-502
CVE-2026-9319Shared CWE-502
CVE-2025-40553Shared CWE-502
CVE-2025-0724Shared CWE-502
CVE-2025-60213Shared CWE-502
CVE-2026-3060Shared CWE-502
CVE-2025-68541Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the deserialization vulnerability by requiring timely patching of the affected PDF for WPForms plugin versions up to 6.5.0.

prevent

Information input validation enforces checks on untrusted data prior to deserialization, preventing object injection exploitation in the plugin.

detect

Vulnerability monitoring and scanning detects the presence of the vulnerable PDF for WPForms plugin version, enabling proactive remediation.

References