CVE-2025-60084 is a deserialization of untrusted data vulnerability found in the add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder WordPress plugin, versions up to and including 6.3.1. The vulnerability arises because the plugin improperly handles serialized data inputs, allowing an attacker to inject malicious objects during the deserialization process. This object injection can lead to remote code execution or other malicious actions without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts confidentiality by potentially exposing sensitive data, integrity by allowing unauthorized data manipulation, and availability by enabling denial-of-service conditions. The plugin is commonly used to generate PDFs from form submissions on WordPress sites, making it a valuable target for attackers seeking to compromise websites or extract sensitive user data. Although no known exploits are currently reported in the wild, the vulnerability's high CVSS score (8.6) reflects its critical nature and ease of exploitation. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for defensive measures. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery and disclosure. Given the widespread use of Elementor and related add-ons in WordPress ecosystems, this vulnerability poses a significant risk to websites relying on this plugin for PDF generation and form handling.

For European organizations, this vulnerability could lead to significant data breaches, unauthorized access to sensitive information, and disruption of web services. Organizations that rely on WordPress sites with the affected plugin for customer interactions, document generation, or internal workflows may face confidentiality compromises and partial system takeovers. The ability to exploit this vulnerability remotely without authentication or user interaction increases the risk of automated attacks and large-scale exploitation campaigns. Critical sectors such as finance, healthcare, government, and e-commerce in Europe could experience operational disruptions or reputational damage if attackers leverage this vulnerability. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed. The lack of known exploits currently provides a window for proactive mitigation, but the high severity demands immediate attention to prevent future exploitation.

1. Monitor official channels from add-ons.org and Elementor for patches addressing CVE-2025-60084 and apply updates immediately upon release. 2. Until a patch is available, restrict access to the plugin’s endpoints by implementing IP whitelisting or VPN-only access for administrative and form submission interfaces. 3. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block deserialization attacks and suspicious serialized payloads. 4. Conduct code audits and implement input validation to detect and sanitize serialized data inputs where possible. 5. Disable or limit the use of the vulnerable plugin if it is not essential, or replace it with alternative PDF generation tools that do not deserialize untrusted data. 6. Implement monitoring and alerting for unusual activity on WordPress sites, including unexpected file changes or abnormal form submissions. 7. Educate site administrators on the risks of deserialization vulnerabilities and the importance of timely patching and access controls. 8. Regularly back up WordPress sites and databases to enable rapid recovery in case of compromise.