CVE-2025-58208
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-08-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58208
EUVD
EUVD-2025-25924
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack pdf_for_elementor_forms 6.2.0
patchstack pdf_for_elementor_forms 6.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue in the WordPress plugin "PDF for Elementor Forms + Drag And Drop Template Builder" up to version 6.2.0. It allows attackers with contributor-level privileges to inject malicious scripts, such as redirects or advertisements, into web pages generated by the plugin. These scripts then execute when visitors access the compromised pages, potentially leading to unauthorized actions or data exposure. [1]

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads. This can degrade user trust, compromise user data, and potentially harm your website's reputation. However, the risk is considered low priority and exploitation is unlikely, but updating the plugin to version 6.3.0 or later is recommended to mitigate the risk. [1]

Detection Guidance

Detection involves checking if the affected WordPress plugin 'PDF for Elementor Forms + Drag And Drop Template Builder' is installed and running a vulnerable version (up to 6.2.0). Since the vulnerability allows contributor-level users to inject malicious scripts, monitoring for unexpected script injections or unusual HTML payloads in pages generated by the plugin can help detect exploitation. Specific commands are not provided in the resources, but you can check the plugin version via WP-CLI with: wp plugin get pdf-for-elementor-forms --field=version. Additionally, scanning web pages for suspicious script tags or payloads related to this plugin may help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include updating the 'PDF for Elementor Forms + Drag And Drop Template Builder' plugin to version 6.3.0 or later, where the vulnerability is fixed. As an interim measure, Patchstack offers virtual patching (vPatching) that automatically protects against this vulnerability before official patches are applied. Restricting contributor-level privileges and monitoring for suspicious activity can also reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart