CVE-2025-68534

Vulnerability

Description

The PDF for WPForms plugin for WordPress versions up to and including 6.3.0 suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing unauthenticated or low-privileged users to execute actions that should require higher privileges. This is a classic broken access control issue.[1]

Exploitation

Attackers can exploit this vulnerability by sending specially crafted requests that bypass authorization checks. Since the vulnerability does not require authentication, it can be exploited remotely by anyone with network access to the WordPress site. The lack of nonce tokens or capability checks in affected endpoints makes it easy to exploit. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of sites.[1]

Impact

Successful exploitation could allow an attacker to perform arbitrary actions within the plugin's context, such as modifying PDF templates, accessing sensitive data, or escalating privileges. The CVSS score of 6.5 (Medium) indicates a moderate severity, but the ease of exploitation and widespread use of the plugin raises the risk.[1]

Mitigation

The vulnerability is patched in version 6.3.1. Users are strongly advised to update immediately. If an immediate update is not possible, Patchstack offers a virtual patching rule to block exploits until the update can be applied. Hosting providers can assist with mitigation if needed.[1]