CVE-2025-10647
📋 TL;DR
The Embed PDF for WPForms WordPress plugin allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. All sites using plugin versions up to 1.1.5 are vulnerable.
💻 Affected Systems
- Embed PDF for WPForms WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers achieve remote code execution, gain full control of the WordPress server, and potentially compromise the entire hosting environment.
Likely Case
Attackers upload web shells or malicious scripts to execute arbitrary commands, deface websites, steal data, or establish persistent backdoors.
If Mitigated
With proper file upload restrictions and web application firewalls, exploitation attempts are blocked, limiting impact to failed upload attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.6
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3364156/embed-pdf-wpforms/trunk/includes/class-wpforms-field-pdf-viewer.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Embed PDF for WPForms' and click 'Update Now'. 4. Verify version shows 1.1.6 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Embed PDF for WPForms plugin until patched
wp plugin deactivate embed-pdf-wpforms
Restrict file uploads via .htaccess
linuxBlock PHP and executable file uploads in WordPress uploads directory
<FilesMatch "\.(php|phtml|phar|exe|sh|pl|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Subscriber role from all users or restrict user registration
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Embed PDF for WPForms version ≤1.1.5Check Version:
wp plugin get embed-pdf-wpforms --field=versionVerify Fix Applied:
Confirm plugin version shows 1.1.6 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wpforms_field_pdf_viewer_download_pdf_media
- File uploads with non-PDF extensions in wp-content/uploads directory
Network Indicators:
- Unusual file uploads to WordPress admin-ajax endpoints from authenticated users
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wpforms_field_pdf_viewer_download_pdf_media" AND ("php" OR "exe" OR "sh" OR "pl")