CVE-2025-10647 Overview
CVE-2025-10647 affects the Embed PDF for WPForms plugin for WordPress through version 1.1.5. The vulnerability stems from missing file type validation in the ajax_handler_download_pdf_media function. Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the server. Successful exploitation can lead to remote code execution on the WordPress host.
The flaw is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type. It carries network-based exploitability with low privilege requirements and no user interaction.
Critical Impact
Authenticated Subscriber accounts can upload arbitrary files via the plugin's AJAX handler, enabling remote code execution and full site compromise.
Affected Products
- Embed PDF for WPForms plugin for WordPress, all versions up to and including 1.1.5
- WordPress sites running the plugin with Subscriber-level (or higher) user registration enabled
- The vulnerable file is includes/class-wpforms-field-pdf-viewer.php
Discovery Timeline
- 2025-09-19 - CVE-2025-10647 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10647
Vulnerability Analysis
The Embed PDF for WPForms plugin exposes an AJAX endpoint handled by ajax_handler_download_pdf_media. This handler is intended to process PDF media uploads associated with WPForms submissions. The function fails to validate the MIME type, extension, or content of uploaded files before writing them to the server.
Because the endpoint only requires standard WordPress authentication, any user with Subscriber privileges can invoke it. Subscriber accounts are commonly created through open registration on WordPress sites, lowering the practical barrier to exploitation.
An attacker can upload a PHP file or polyglot payload disguised as a PDF. Once the file lands in a web-accessible directory, the attacker requests it directly to trigger server-side execution. This converts an authenticated low-privilege session into arbitrary code execution under the web server account.
Root Cause
The root cause is missing input validation on file uploads [CWE-434]. The ajax_handler_download_pdf_media function trusts client-supplied file data without verifying extension allowlists, MIME types, or file signatures. The plugin also does not enforce capability checks beyond the default authenticated AJAX nonce.
Attack Vector
Exploitation requires a valid Subscriber-or-higher account and network reachability to the WordPress admin-ajax.php endpoint. The attacker submits a crafted multipart POST request to the vulnerable AJAX action with a malicious file payload. After upload, the attacker fetches the file URL to execute the payload in the WordPress context.
No user interaction is required from administrators. Full technical detail is available in the Wordfence Vulnerability Analysis and the WordPress Plugin Changeset that introduces the fix.
Detection Methods for CVE-2025-10647
Indicators of Compromise
- POST requests to admin-ajax.php with the PDF media download action originating from Subscriber-level accounts
- New PHP, .phtml, or .htaccess files in WordPress uploads directories with recent modification times
- Unexpected outbound connections from the web server process following file uploads
- Web shell artifacts or obfuscated PHP code inside wp-content/uploads/ subfolders associated with the plugin
Detection Strategies
- Monitor WordPress access logs for repeated calls to the ajax_handler_download_pdf_media action by non-administrative users
- Apply file integrity monitoring to wp-content/uploads/ and alert on creation of executable file types
- Inspect HTTP request bodies for multipart uploads where the declared Content-Type is application/pdf but file contents contain PHP tags
Monitoring Recommendations
- Review WordPress user registration logs for newly created Subscriber accounts followed by AJAX upload activity
- Enable web application firewall (WAF) logging on plugin AJAX endpoints and forward events to a centralized SIEM for correlation
- Audit installed plugin versions across WordPress estates and flag instances of Embed PDF for WPForms at or below 1.1.5
How to Mitigate CVE-2025-10647
Immediate Actions Required
- Update the Embed PDF for WPForms plugin to a version above 1.1.5 that includes the fix from changeset 3364156
- Temporarily deactivate the plugin if patching cannot be completed immediately
- Disable open user registration or restrict the Subscriber role from accessing the vulnerable AJAX endpoint
- Audit wp-content/uploads/ for unexpected executable files and remove any web shells discovered
Patch Information
The vendor addressed the issue in the plugin source tree referenced by WordPress Plugin Changeset 3364156. The fix adds file type validation to the ajax_handler_download_pdf_media function. Download the latest release from the WordPress Embed PDF WPForms plugin page.
Workarounds
- Configure the web server to deny PHP execution within wp-content/uploads/ using directory-level handler restrictions
- Deploy a WAF rule that blocks multipart uploads to the plugin's AJAX action when file content does not match a valid PDF signature
- Restrict Subscriber accounts using a role-management plugin to remove access to the vulnerable AJAX action until patching is complete
# Apache: block PHP execution inside the WordPress uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|phps)$">
Require all denied
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
