CVE-2025-32583 CRITICAL

CVE-2025-32583: WordPress PDF 2 Post Plugin <= 2.4.0 - Remote Code Execution (RCE) vulnerability

Vendor Termel
Product PDF 2 Post
Weakness CWE-94 · Code injection
Published April 17, 2025
Last update April 28, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0.

Explanation of Vulnerability in Simple Terms

02Summary

PDF 2 Post versions up to 2.4.0 contain a code injection vulnerability that allows authenticated users with low privileges to run arbitrary PHP code on the site. The vulnerability affects the entire system due to scope change. An attacker needs only a low-privilege account and network access to exploit it. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full system access.

Potential impact on your site

04Site Impact

Any low-privilege user account can compromise the entire site and access all data.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege authenticated account and network access.

Key dates

06Disclosure timeline

April 17, 2025 CVE published
April 28, 2026 Record updated