Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities by add-ons.org
CVE-2026-25328 (GCVE-0-2026-25328)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-03-26 17:32
VLAI?
Title
WordPress Product File Upload for WooCommerce plugin <= 2.2.4 - Arbitrary File Deletion vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4.
Severity ?
6.8 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | Product File Upload for WooCommerce |
Affected:
n/a , ≤ <= 2.2.4
(custom)
|
Date Public ?
2026-03-25 17:12
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:26:59.969263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:32:19.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "products-file-upload-for-woocommerce",
"product": "Product File Upload for WooCommerce",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "2.2.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 2.2.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-03-25T17:12:20.901Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.\u003cp\u003eThis issue affects Product File Upload for WooCommerce: from n/a through \u003c= 2.2.4.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through \u003c= 2.2.4."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:14:40.912Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/products-file-upload-for-woocommerce/vulnerability/wordpress-product-file-upload-for-woocommerce-plugin-2-2-4-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Product File Upload for WooCommerce plugin \u003c= 2.2.4 - Arbitrary File Deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25328",
"datePublished": "2026-03-25T16:14:40.912Z",
"dateReserved": "2026-02-02T12:52:29.366Z",
"dateUpdated": "2026-03-26T17:32:19.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22350 (GCVE-0-2026-22350)
Vulnerability from cvelistv5 – Published: 2026-02-20 15:47 – Updated: 2026-04-01 14:13
VLAI?
Title
WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for Elementor Forms + Drag And Drop Template Builder |
Affected:
0 , ≤ 6.3.1
(custom)
|
Date Public ?
2026-04-01 16:03
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-22350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:39:31.367807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:40:29.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-elementor-forms",
"product": "PDF for Elementor Forms + Drag And Drop Template Builder",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Legion Hunter | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:03:50.436Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.3.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:13:34.929Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin \u003c= 6.3.1 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-22350",
"datePublished": "2026-02-20T15:47:00.543Z",
"dateReserved": "2026-01-07T12:21:19.919Z",
"dateUpdated": "2026-04-01T14:13:34.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68534 (GCVE-0-2025-68534)
Vulnerability from cvelistv5 – Published: 2026-02-20 15:46 – Updated: 2026-04-01 14:12
VLAI?
Title
WordPress PDF for WPForms plugin <= 6.3.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for WPForms |
Affected:
0 , ≤ 6.3.0
(custom)
|
Date Public ?
2026-04-01 16:02
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T21:44:49.034182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T21:45:43.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-wpforms",
"product": "PDF for WPForms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Legion Hunter | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:02:34.477Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PDF for WPForms: from n/a through \u003c= 6.3.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through \u003c= 6.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:12:10.874Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for WPForms plugin \u003c= 6.3.0 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68534",
"datePublished": "2026-02-20T15:46:39.366Z",
"dateReserved": "2025-12-19T10:17:09.986Z",
"dateUpdated": "2026-04-01T14:12:10.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-60084 (GCVE-0-2025-60084)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.5.0 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Severity ?
8.6 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for Elementor Forms + Drag And Drop Template Builder |
Affected:
0 , ≤ 6.5.0
(custom)
|
Date Public ?
2026-04-01 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-60084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T14:47:46.046980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T15:32:11.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-elementor-forms",
"product": "PDF for Elementor Forms + Drag And Drop Template Builder",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:00:17.329Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.\u003cp\u003eThis issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.5.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:54.330Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin \u003c= 6.5.0 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-60084",
"datePublished": "2025-12-18T07:22:07.769Z",
"dateReserved": "2025-09-25T15:20:02.782Z",
"dateUpdated": "2026-04-01T14:08:54.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-60083 (GCVE-0-2025-60083)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress PDF Invoice Builder for WooCommerce plugin <= 6.5.0 - Deserialization of untrusted data vulnerability
Summary
Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 6.5.0.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF Invoice Builder for WooCommerce |
Affected:
0 , ≤ 6.5.0
(custom)
|
Date Public ?
2026-04-01 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-60083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T16:42:24.871818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T16:59:56.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-woocommerce",
"product": "PDF Invoice Builder for WooCommerce",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:00:16.238Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.\u003cp\u003eThis issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 6.5.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 6.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:54.017Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoice-builder-for-woocommerce-plugin-6-3-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF Invoice Builder for WooCommerce plugin \u003c= 6.5.0 - Deserialization of untrusted data vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-60083",
"datePublished": "2025-12-18T07:22:07.543Z",
"dateReserved": "2025-09-25T15:20:02.782Z",
"dateUpdated": "2026-04-01T14:08:54.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-60082 (GCVE-0-2025-60082)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress PDF for WPForms plugin <= 6.5.0 - Deserialization of untrusted data vulnerability
Summary
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.5.0.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for WPForms |
Affected:
0 , ≤ 6.5.0
(custom)
|
Date Public ?
2026-04-01 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-60082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T16:42:44.350609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:00:06.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-wpforms",
"product": "PDF for WPForms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:00:16.230Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.\u003cp\u003eThis issue affects PDF for WPForms: from n/a through \u003c= 6.5.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through \u003c= 6.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:53.868Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for WPForms plugin \u003c= 6.5.0 - Deserialization of untrusted data vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-60082",
"datePublished": "2025-12-18T07:22:07.372Z",
"dateReserved": "2025-09-25T15:20:02.782Z",
"dateUpdated": "2026-04-01T14:08:53.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-60081 (GCVE-0-2025-60081)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress PDF for Contact Form 7 plugin <= 6.5.0 - Deserialization of untrusted data vulnerability
Summary
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.5.0.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for Contact Form 7 |
Affected:
0 , ≤ 6.5.0
(custom)
|
Date Public ?
2026-04-01 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-60081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T16:43:14.429952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:00:12.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-contact-form-7",
"product": "PDF for Contact Form 7",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:00:16.013Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.\u003cp\u003eThis issue affects PDF for Contact Form 7: from n/a through \u003c= 6.5.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through \u003c= 6.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:53.706Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-contact-form-7/vulnerability/wordpress-pdf-for-contact-form-7-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for Contact Form 7 plugin \u003c= 6.5.0 - Deserialization of untrusted data vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-60081",
"datePublished": "2025-12-18T07:22:07.192Z",
"dateReserved": "2025-09-25T15:20:02.781Z",
"dateUpdated": "2026-04-01T14:08:53.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-60080 (GCVE-0-2025-60080)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress PDF for Gravity Forms + Drag And Drop Template Builder plugin <= 6.5.0 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for Gravity Forms + Drag And Drop Template Builder |
Affected:
0 , ≤ 6.5.0
(custom)
|
Date Public ?
2026-04-01 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-60080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T16:45:35.739537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:00:17.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-gravity-forms",
"product": "PDF for Gravity Forms + Drag And Drop Template Builder",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:00:14.690Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.\u003cp\u003eThis issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.5.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:53.544Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/vulnerability/wordpress-pdf-for-gravity-forms-drag-and-drop-template-builder-plugin-6-3-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for Gravity Forms + Drag And Drop Template Builder plugin \u003c= 6.5.0 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-60080",
"datePublished": "2025-12-18T07:22:07.018Z",
"dateReserved": "2025-09-25T15:20:02.781Z",
"dateUpdated": "2026-04-01T14:08:53.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58620 (GCVE-0-2025-58620)
Vulnerability from cvelistv5 – Published: 2025-09-03 14:36 – Updated: 2026-04-01 15:58
VLAI?
Title
WordPress PDF for WPForms Plugin <= 6.2.1 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Stored XSS.This issue affects PDF for WPForms: from n/a through <= 6.2.1.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for WPForms |
Affected:
0 , ≤ 6.2.1
(custom)
|
Date Public ?
2026-04-01 16:42
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T17:36:45.759945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T17:49:22.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-wpforms",
"product": "PDF for WPForms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.3.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:42:40.368Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Stored XSS.\u003cp\u003eThis issue affects PDF for WPForms: from n/a through \u003c= 6.2.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Stored XSS.This issue affects PDF for WPForms: from n/a through \u003c= 6.2.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:58:35.472Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for WPForms Plugin \u003c= 6.2.1 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58620",
"datePublished": "2025-09-03T14:36:49.757Z",
"dateReserved": "2025-09-03T09:02:47.358Z",
"dateUpdated": "2026-04-01T15:58:35.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49387 (GCVE-0-2025-49387)
Vulnerability from cvelistv5 – Published: 2025-08-28 12:37 – Updated: 2026-04-01 15:55
VLAI?
Title
WordPress Drag and Drop File Upload for Elementor Forms Plugin <= 1.5.3 - Arbitrary File Upload Vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.5.3.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | Drag and Drop File Upload for Elementor Forms |
Affected:
0 , ≤ 1.5.3
(custom)
|
Date Public ?
2026-04-01 16:41
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T15:38:30.719343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T15:38:44.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "drag-and-drop-file-upload-for-elementor-forms",
"product": "Drag and Drop File Upload for Elementor Forms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "1.5.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:07.118Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects Drag and Drop File Upload for Elementor Forms: from n/a through \u003c= 1.5.3.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through \u003c= 1.5.3."
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "Upload a Web Shell to a Web Server"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:55:26.330Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-plugin-1-5-3-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "WordPress Drag and Drop File Upload for Elementor Forms Plugin \u003c= 1.5.3 - Arbitrary File Upload Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49387",
"datePublished": "2025-08-28T12:37:13.181Z",
"dateReserved": "2025-06-04T15:43:46.346Z",
"dateUpdated": "2026-04-01T15:55:26.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58208 (GCVE-0-2025-58208)
Vulnerability from cvelistv5 – Published: 2025-08-27 17:45 – Updated: 2026-04-01 15:58
VLAI?
Title
WordPress PDF for Elementor Forms + Drag And Drop Template Builder Plugin <= 6.2.0 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.2.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for Elementor Forms + Drag And Drop Template Builder |
Affected:
0 , ≤ 6.2.0
(custom)
|
Date Public ?
2026-04-01 16:42
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T19:29:26.932301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T19:29:33.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-elementor-forms",
"product": "PDF for Elementor Forms + Drag And Drop Template Builder",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "6.3.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zaim | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:42:24.826Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.\u003cp\u003eThis issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.2.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through \u003c= 6.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:58:17.736Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for Elementor Forms + Drag And Drop Template Builder Plugin \u003c= 6.2.0 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58208",
"datePublished": "2025-08-27T17:45:46.928Z",
"dateReserved": "2025-08-27T16:19:10.126Z",
"dateUpdated": "2026-04-01T15:58:17.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49289 (GCVE-0-2025-49289)
Vulnerability from cvelistv5 – Published: 2025-06-06 12:53 – Updated: 2026-04-01 15:55
VLAI?
Title
WordPress PDF for WPForms plugin <= 5.5.0 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 5.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for WPForms |
Affected:
0 , ≤ 5.5.0
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T18:59:20.971465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T19:23:43.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-wpforms",
"product": "PDF for WPForms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "5.6.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tran Tuan Dung (domiee13) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:55.585Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PDF for WPForms: from n/a through \u003c= 5.5.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through \u003c= 5.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:55:13.367Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-5-5-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for WPForms plugin \u003c= 5.5.0 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49289",
"datePublished": "2025-06-06T12:53:44.101Z",
"dateReserved": "2025-06-04T09:41:43.867Z",
"dateUpdated": "2026-04-01T15:55:13.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47492 (GCVE-0-2025-47492)
Vulnerability from cvelistv5 – Published: 2025-05-23 12:43 – Updated: 2026-04-01 15:53
VLAI?
Title
WordPress Drag and Drop File Upload for Elementor Forms plugin <= 1.4.3 - Arbitrary File Deletion Vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.4.3.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | Drag and Drop File Upload for Elementor Forms |
Affected:
0 , ≤ 1.4.3
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:58:50.333940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T14:58:56.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "drag-and-drop-file-upload-for-elementor-forms",
"product": "Drag and Drop File Upload for Elementor Forms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "1.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:03.117Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.\u003cp\u003eThis issue affects Drag and Drop File Upload for Elementor Forms: from n/a through \u003c= 1.4.3.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through \u003c= 1.4.3."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:21.397Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-1-4-3-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Drag and Drop File Upload for Elementor Forms plugin \u003c= 1.4.3 - Arbitrary File Deletion Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47492",
"datePublished": "2025-05-23T12:43:34.629Z",
"dateReserved": "2025-05-07T09:39:15.825Z",
"dateUpdated": "2026-04-01T15:53:21.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47537 (GCVE-0-2025-47537)
Vulnerability from cvelistv5 – Published: 2025-05-07 14:20 – Updated: 2026-04-01 15:53
VLAI?
Title
WordPress PDF Invoice Builder for WooCommerce plugin <= 5.3.8 - SQL Injection Vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows SQL Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 5.3.8.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF Invoice Builder for WooCommerce |
Affected:
0 , ≤ 5.3.8
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T17:20:34.147690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:17:53.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-woocommerce",
"product": "PDF Invoice Builder for WooCommerce",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "5.4.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ngo Bui Truong Vu | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:08.109Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows SQL Injection.\u003cp\u003eThis issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 5.3.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows SQL Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 5.3.8."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:30.686Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoices-for-woocommerce-drag-and-drop-template-builder-5-3-8-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF Invoice Builder for WooCommerce plugin \u003c= 5.3.8 - SQL Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47537",
"datePublished": "2025-05-07T14:20:13.398Z",
"dateReserved": "2025-05-07T09:39:53.906Z",
"dateUpdated": "2026-04-01T15:53:30.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47476 (GCVE-0-2025-47476)
Vulnerability from cvelistv5 – Published: 2025-05-07 14:19 – Updated: 2026-04-01 15:53
VLAI?
Title
WordPress Cost Calculator for Elementor plugin <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org Cost Calculator for Elementor cost-calculator-for-elementor allows DOM-Based XSS.This issue affects Cost Calculator for Elementor: from n/a through <= 1.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | Cost Calculator for Elementor |
Affected:
0 , ≤ 1.3.3
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T14:46:34.735876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T16:36:12.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cost-calculator-for-elementor",
"product": "Cost Calculator for Elementor",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "1.3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:01.188Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org Cost Calculator for Elementor cost-calculator-for-elementor allows DOM-Based XSS.\u003cp\u003eThis issue affects Cost Calculator for Elementor: from n/a through \u003c= 1.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org Cost Calculator for Elementor cost-calculator-for-elementor allows DOM-Based XSS.This issue affects Cost Calculator for Elementor: from n/a through \u003c= 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:17.244Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cost-calculator-for-elementor/vulnerability/wordpress-cost-calculator-for-elementor-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Cost Calculator for Elementor plugin \u003c= 1.3.3 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47476",
"datePublished": "2025-05-07T14:19:46.405Z",
"dateReserved": "2025-05-07T09:38:59.114Z",
"dateUpdated": "2026-04-01T15:53:17.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30767 (GCVE-0-2025-30767)
Vulnerability from cvelistv5 – Published: 2025-03-27 10:54 – Updated: 2026-04-01 15:47
VLAI?
Title
WordPress PDF for WPForms plugin <= 5.3.0 - Arbitrary Shortcode Execution vulnerability
Summary
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 5.3.0.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF for WPForms |
Affected:
0 , ≤ 5.3.0
(custom)
|
Date Public ?
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:56.133715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:07:01.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-wpforms",
"product": "PDF for WPForms",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "5.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:20.624Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PDF for WPForms: from n/a through \u003c= 5.3.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through \u003c= 5.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:47:26.798Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-5-3-0-arbitrary-shortcode-execution-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF for WPForms plugin \u003c= 5.3.0 - Arbitrary Shortcode Execution vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30767",
"datePublished": "2025-03-27T10:54:36.689Z",
"dateReserved": "2025-03-26T09:19:49.549Z",
"dateUpdated": "2026-04-01T15:47:26.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24755 (GCVE-0-2025-24755)
Vulnerability from cvelistv5 – Published: 2025-01-24 17:25 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress PDF Invoice Builder for WooCommerce plugin <= 4.6.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Stored XSS.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 4.6.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | PDF Invoice Builder for WooCommerce |
Affected:
0 , ≤ 4.6.0
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T17:48:58.271267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:01:15.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pdf-for-woocommerce",
"product": "PDF Invoice Builder for WooCommerce",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "4.7.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:49.356Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Stored XSS.\u003cp\u003eThis issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 4.6.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Stored XSS.This issue affects PDF Invoice Builder for WooCommerce: from n/a through \u003c= 4.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:42.646Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoices-for-woocommerce-plugin-4-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress PDF Invoice Builder for WooCommerce plugin \u003c= 4.6.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24755",
"datePublished": "2025-01-24T17:25:22.462Z",
"dateReserved": "2025-01-23T14:53:08.866Z",
"dateUpdated": "2026-04-01T15:44:42.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22802 (GCVE-0-2025-22802)
Vulnerability from cvelistv5 – Published: 2025-01-09 15:39 – Updated: 2026-04-01 15:41
VLAI?
Title
WordPress Email Templates Customizer YeeMail plugin <= 2.1.4 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail yeemail allows Stored XSS.This issue affects Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail: from n/a through <= 2.1.4.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| add-ons.org | Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail |
Affected:
0 , ≤ 2.1.4
(custom)
|
Date Public ?
2026-04-01 16:32
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T20:18:28.977212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T20:42:05.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yeemail",
"product": "Email Templates Customizer for WordPress \u2013 Drag And Drop Email Templates Builder \u2013 YeeMail",
"vendor": "add-ons.org",
"versions": [
{
"changes": [
{
"at": "2.1.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:32:03.230Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org Email Templates Customizer for WordPress \u2013 Drag And Drop Email Templates Builder \u2013 YeeMail yeemail allows Stored XSS.\u003cp\u003eThis issue affects Email Templates Customizer for WordPress \u2013 Drag And Drop Email Templates Builder \u2013 YeeMail: from n/a through \u003c= 2.1.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in add-ons.org Email Templates Customizer for WordPress \u2013 Drag And Drop Email Templates Builder \u2013 YeeMail yeemail allows Stored XSS.This issue affects Email Templates Customizer for WordPress \u2013 Drag And Drop Email Templates Builder \u2013 YeeMail: from n/a through \u003c= 2.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:41:53.131Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yeemail/vulnerability/wordpress-email-templates-customizer-yeemail-plugin-2-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Email Templates Customizer YeeMail plugin \u003c= 2.1.4 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22802",
"datePublished": "2025-01-09T15:39:20.648Z",
"dateReserved": "2025-01-07T21:05:34.184Z",
"dateUpdated": "2026-04-01T15:41:53.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}