Plattform
wordpress
Komponente
pdf-creator-lite
Behoben in
1.2.1
CVE-2025-49341 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the PDF Creator Lite WordPress plugin. This flaw allows attackers to execute Stored XSS attacks, potentially compromising user accounts and sensitive data. The vulnerability impacts versions from 0.0.0 up to and including 1.2. A fix is pending, and users should implement mitigation strategies until a patch is released.
The CSRF vulnerability in PDF Creator Lite, coupled with the ability to store XSS payloads, presents a significant risk. An attacker could craft malicious links or forms that, when visited by an authenticated user, would execute arbitrary JavaScript code within the user's browser context. This could lead to session hijacking, credential theft, defacement of the WordPress site, or the injection of malware. The stored XSS aspect means the malicious payload persists, potentially affecting multiple users over time. Successful exploitation could grant the attacker complete control over the affected WordPress site and its data.
CVE-2025-49341 was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available, but the combination of CSRF and Stored XSS makes this a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. The ease of exploitation, given the widespread use of WordPress and the potential for significant impact, suggests this vulnerability could become a target for opportunistic attackers.
WordPress websites utilizing the PDF Creator Lite plugin, particularly those running older, unpatched versions (0.0.0–1.2), are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the necessary updates. Sites with user-generated content processed by the plugin are especially susceptible.
• wordpress / composer / npm:
grep -r "PDF Creator Lite" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "PDF Creator Lite"• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/pdf-creator-lite/ | grep -i 'X-Frame-Options'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
Since a patch is not yet available, immediate mitigation steps are crucial. Implement strict Content Security Policy (CSP) headers to restrict the sources from which JavaScript can be executed. This can significantly reduce the impact of XSS attacks. Additionally, consider using a WordPress security plugin with CSRF protection capabilities. Carefully review any new PDF Creator Lite features or updates for potential vulnerabilities before deployment. Monitor WordPress logs for suspicious activity, particularly requests originating from unfamiliar sources. After a patch is released, upgrade PDF Creator Lite to the latest version immediately to eliminate this vulnerability.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49341 is a Cross-Site Request Forgery (CSRF) vulnerability in the PDF Creator Lite WordPress plugin, allowing for Stored XSS attacks. It affects versions 0.0.0 through 1.2.
If you are using PDF Creator Lite plugin versions 0.0.0 to 1.2 on your WordPress site, you are potentially affected by this vulnerability.
The recommended fix is to update the PDF Creator Lite plugin to the latest available version that addresses the CSRF vulnerability. Check the WordPress plugin repository for updates.
While no public exploits are currently known, the CSRF/XSS combination is a common attack vector, so active exploitation is possible.
Check the official PDF Creator Lite plugin page on the WordPress plugin repository or the developer's website for the advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.