CVE-2025-60080 is a deserialization of untrusted data vulnerability found in the add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder plugin, affecting all versions up to and including 6.3.0. The vulnerability arises because the plugin improperly handles serialized data, allowing an attacker to inject malicious objects during the deserialization process. This object injection can lead to remote code execution or other malicious actions, compromising the confidentiality, integrity, and availability of the affected system. The vulnerability requires an attacker to have network access and low privileges (PR:L) but does not require user interaction (UI:N), increasing the risk of automated or remote exploitation. The attack complexity is high (AC:H), indicating some specialized conditions or knowledge are needed to exploit the flaw. The CVSS v3.1 base score is 7.5, reflecting the significant impact on affected systems. No public exploits are known at this time, but the vulnerability's nature makes it a critical concern for organizations relying on this plugin for form processing and PDF generation. The plugin is commonly used in WordPress environments to generate PDFs from Gravity Forms submissions, often handling sensitive user data, making exploitation potentially damaging. The vulnerability was reserved in late September 2025 and published in December 2025, with no patches currently linked, indicating organizations should monitor vendor updates closely.

For European organizations, the impact of CVE-2025-60080 can be severe. Exploitation could lead to unauthorized access to sensitive form data, including personal identifiable information (PII), financial data, or other confidential information processed via Gravity Forms. Attackers could execute arbitrary code on the web server, leading to full system compromise, data theft, or service disruption. This could result in regulatory non-compliance with GDPR due to data breaches, financial losses, reputational damage, and operational downtime. Organizations relying on automated PDF generation for business processes may face workflow interruptions. The high complexity of exploitation may limit widespread attacks but targeted attacks against high-value European entities are plausible. The lack of user interaction requirement facilitates remote exploitation, increasing risk for externally facing WordPress sites. The absence of known exploits currently provides a window for proactive mitigation before active attacks emerge.

Organizations should immediately inventory their WordPress environments to identify installations of the PDF for Gravity Forms + Drag And Drop Template Builder plugin. Until a patch is released, restrict access to the plugin's functionality by limiting network exposure, e.g., via web application firewalls (WAFs) and IP whitelisting. Disable or remove the plugin if not essential. Implement strict input validation and sanitization on all Gravity Forms inputs to reduce the risk of malicious serialized data reaching the plugin. Monitor logs for unusual deserialization activity or unexpected object injection patterns. Employ intrusion detection systems (IDS) tuned for PHP object injection signatures. Once the vendor releases a patch, apply it promptly. Additionally, conduct regular backups and ensure incident response plans include scenarios involving web application compromise. Educate development and security teams about the risks of deserialization vulnerabilities and secure coding practices to prevent similar issues.