CVE Alert: CVE-2025-10647 – salzano – Embed PDF for WPForms
CVE-2025-10647
The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
Risk verdict
High risk: authenticated users with Subscriber-level access can upload arbitrary files via the affected plugin, with potential remote code execution. Given the base score of 8.8, remediation should be treated as a priority.
Why this matters
If exploited, attackers could plant web shells, exfiltrate data, or persist on the host, potentially compromising other sites on the same server. WordPress sites using Embed PDF for WPForms are affected, including multisite and shared-host environments where Subscriber accounts exist.
Most likely attack path
Exploitation requires network access and low-privilege authentication, with no user interaction. An authenticated subscriber could upload dangerous files through the plugin’s AJAX workflow, placing a payload in a web-accessible location. If the file is executed, remote code execution is possible; lateral movement depends on server privileges and subsequent account compromise.
Who is most exposed
Sites running WordPress with the affected plugin, particularly smaller/shared-host deployments or multisite setups where subscriber accounts exist and are active for users or editors.
Detection ideas
- Unauthorised PHP or other executable files appearing in plugin/upload paths.
- Submissions from subscriber accounts uploading unusual file types.
- Web server logs showing file upload activity followed by script execution attempts.
- PHP error traces or web shell-like payloads in HTTP responses or log files.
- Sudden spikes in uploads tied to the plugin endpoint.
Mitigation and prioritisation
- Patch: upgrade to a patched version (>= 1.1.6) or remove/ disable the plugin until fixed.
- Contain: implement WAF rules to block dangerous file uploads via the plugin endpoints; restrict upload types on the server.
- Access controls: enforce least privilege for WordPress accounts; revoke unnecessary subscriber privileges where feasible.
- Change-management: schedule patching in a controlled window; verify compatibility in staging; ensure backups before upgrade.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
