CVE-2025-10647: 
WordPress vulnerability analysis and mitigation

The Embed PDF for WPForms plugin for WordPress (versions up to 1.1.5) contains a vulnerability identified as CVE-2025-10647. The vulnerability was discovered on September 18, 2025, and publicly disclosed on September 19, 2025. This security flaw affects the ajaxhandlerdownloadpdfmedia function, which lacks proper file type validation, potentially allowing authenticated users with Subscriber-level access or higher to upload arbitrary files to the affected site's server (NVD Database).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw stems from missing file type validation in the ajaxhandlerdownloadpdfmedia function, which fails to properly validate uploaded files. The vulnerability is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD Database, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the compromised system (NVD Database).

The vulnerability has been patched in version 1.1.6 of the Embed PDF for WPForms plugin. The update includes bug fixes specifically addressing the issues with uploading PDFs in the form builder. Users are strongly advised to update to this latest version to protect their installations (WordPress Plugin).