CVE-2026-22350

Vulnerability

The PDF for Elementor Forms plugin for WordPress, versions ≤6.3.1, suffers from a missing authorization vulnerability [1]. The plugin's access control security levels are incorrectly configured, allowing an attacker to exploit broken access control [1]. This type of flaw occurs when a function lacks proper authorization, authentication, or nonce token checks, enabling an unprivileged user to perform actions reserved for higher privileged users [1].

Exploitation

The attack surface is the WordPress admin interface; no authentication is needed to trigger the missing authorization vulnerability [1]. An attacker can exploit this by directly sending crafted requests to the vulnerable endpoints [1]. The plugin's broken access control makes it possible to bypass security restrictions without prior login [1].

Impact

An unauthenticated attacker can execute higher privileged actions, such as accessing or modifying sensitive plugin settings or data [1]. This could lead to unauthorized generation of PDF forms, data exposure, or other unintended operations within the Elementor form context [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns against thousands of websites simultaneously [1].

Mitigation

The vendor has released version 6.5.0 which ** fixes the broken access control [1]. Users should update immediately to that version or use Patchstack's automatic mitigation rule to block attacks until updated [1]. No workaround is provided, so the only complete fixers is upgrading. Persons unable to update should consult their hosting provider or web developer for assistance [1]. References [1] .