CVE-2025-10647
Published
CVSS v3
8.8
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
<p>Embed PDF for WPForms provides a PDF Viewer field type. Include PDF files in forms without requiring users to download the PDF. Supports multi-page documents for PDF flipbooks in WPForms. Provides zoom controls.</p>
<h4>Features</h4>
<ul>
<li>Drag a PDF Viewer field onto any WPForm</li>
<li>Choose PDF from Media Library or provide local URL</li>
<li>Set default zoom level</li>
<li>Supports multi-page PDFs</li>
<li>Supports Dynamic Population</li>
</ul>
<h4>Demo</h4>
<p><a href="https://breakfastco.xyz/embed-pdf-for-wpforms/" rel="nofollow ugc">https://breakfastco.xyz/embed-pdf-for-wpforms/</a></p>
<p>Have an idea for a new feature? Please create an Issue on Github or Support Topic on wordpress.org.</p>
WordPress Plugin Directory