Platform
wordpress
Component
pdf-creator-lite
Fixed in
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the PDF Creator Lite WordPress plugin. This flaw allows attackers to trigger Stored XSS attacks, potentially compromising user accounts and website integrity. The vulnerability affects versions from 0.0.0 up to and including 1.2. A fix is available through plugin updates.
The CSRF vulnerability in PDF Creator Lite allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation can lead to the injection of malicious JavaScript code, resulting in Stored Cross-Site Scripting (XSS). This means the attacker's script is stored on the server and executed whenever a user visits a vulnerable page. The impact ranges from session hijacking and defacement to the theft of sensitive user data, including credentials and personal information. Attackers could also leverage this to distribute malware or redirect users to phishing sites.
CVE-2025-49341 was publicly disclosed on 2025-12-09. Currently, no public proof-of-concept (POC) code has been released, but the CSRF/XSS combination is a well-understood attack pattern. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates on exploitation attempts.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49341 is to immediately update the PDF Creator Lite plugin to a version that addresses the CSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, restrict access to sensitive plugin functionalities and carefully review any user-submitted content that is processed by the plugin. Regularly scan your WordPress installation for vulnerable plugins using security plugins or vulnerability scanners.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49341 is a Cross-Site Request Forgery (CSRF) vulnerability in the PDF Creator Lite WordPress plugin, allowing for Stored XSS attacks. It affects versions 0.0.0 through 1.2.
If you are using PDF Creator Lite plugin versions 0.0.0 to 1.2 on your WordPress site, you are potentially affected by this vulnerability.
The recommended fix is to update the PDF Creator Lite plugin to the latest available version that addresses the CSRF vulnerability. Check the WordPress plugin repository for updates.
While no public exploits are currently known, the CSRF/XSS combination is a common attack vector, so active exploitation is possible.
Check the official PDF Creator Lite plugin page on the WordPress plugin repository or the developer's website for the advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.