CVE-2025-49289
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 5.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49289
EUVD
EUVD-2025-17272
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability, identified as CVE-2025-49289, is a Broken Access Control issue in the WordPress plugin "PDF for WPForms" up to version 5.5.0. It occurs due to missing authorization, authentication, or nonce token checks in certain functions, which can allow users with low-level privileges (Subscriber-level) to perform actions that should be restricted to higher-privileged users. [1]


How can this vulnerability impact me? :

The vulnerability can allow unprivileged users to perform unauthorized actions within the plugin, potentially leading to misuse or manipulation of plugin functionality. Although it has a low severity rating (CVSS score 5.0) and is considered unlikely to be exploited, if exploited, it could compromise the integrity of the affected WordPress site. It is recommended to update the plugin to version 5.6.1 or later to mitigate this risk. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying if the WordPress plugin "PDF for WPForms" is installed and running a version up to 5.5.0. Since the vulnerability is due to missing authorization checks allowing Subscriber-level users to perform higher-privileged actions, monitoring for unusual privilege escalations or unauthorized actions by low-privilege users could indicate exploitation attempts. Specific commands are not provided in the resources, but checking the plugin version can be done via WP-CLI with: wp plugin list | grep pdf-for-wpforms. Additionally, monitoring web server logs for suspicious requests targeting PDF for WPForms functionality may help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the PDF for WPForms plugin to version 5.6.1 or later, where the vulnerability is resolved. If updating immediately is not possible, enabling auto-updates for vulnerable plugins or applying virtual patching (vPatching) through Patchstack can provide immediate protection by auto-mitigating the vulnerability. It is also recommended to monitor for exploitation attempts and, in case of compromise, seek professional incident response or hosting provider malware scanning. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart