CVE-2025-68534
Missing Authorization in PDF for WPForms Plugin Allows Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforms | pdf_for_wpforms | to 6.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68534 is a Missing Authorization vulnerability in the WordPress PDF for WPForms Plugin versions up to and including 6.3.0. It is a Broken Access Control issue where certain functions lack proper authorization, authentication, or nonce token checks.
This flaw allows unprivileged users to perform actions that should be restricted to higher privileged roles, such as subscribers or developers.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions within the PDF for WPForms Plugin, potentially leading to unauthorized access or modification of data or functionality.
Such unauthorized actions could compromise the security and integrity of your WordPress site, exposing it to further exploitation or data breaches.
Until patched, attackers might exploit this issue to bypass access controls, which could affect site operations or user data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the PDF for WPForms Plugin, allowing unprivileged users to perform actions reserved for higher privileged roles.
Detection can involve monitoring for unauthorized access attempts or unusual privilege escalations related to the PDF for WPForms Plugin, especially in versions up to 6.3.0.
Patchstack provides mitigation rules that can block attacks targeting this vulnerability, which may include detection capabilities.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the PDF for WPForms Plugin to version 6.3.1 or later, where the issue has been patched.
Until the update can be applied, users of Patchstack can enable mitigation rules that block attacks targeting this vulnerability.
Enabling automatic updates for vulnerable plugins via Patchstack is also recommended to ensure timely protection.