Platform
wordpress
Component
pdf-thumbnail-generator
Fixed in
1.4.1
CVE-2025-67469 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the kubiq PDF Thumbnail Generator plugin for WordPress. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of data. The vulnerability impacts versions from 0.0.0 through 1.4, and a fix is available in version 1.5.
A successful CSRF attack could allow an attacker to modify PDF thumbnail generation settings, potentially injecting malicious code or altering the appearance of thumbnails. This could lead to defacement of the website or, in more severe cases, exploitation of other vulnerabilities if the thumbnail generation process interacts with other sensitive components. The blast radius is limited to the scope of actions that can be performed through the PDF Thumbnail Generator plugin, but the impact on a compromised website can still be significant.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been released at the time of writing, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward for attackers with basic web application security knowledge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the kubiq PDF Thumbnail Generator plugin to version 1.5 or later, which contains the fix for this vulnerability. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the thumbnail generation endpoints. Additionally, ensure that all user input related to thumbnail generation is carefully validated and sanitized to prevent malicious code injection. Consider implementing CSRF tokens for all critical actions within the plugin.
Update to version 1.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67469 is a Cross-Site Request Forgery (CSRF) vulnerability in the kubiq PDF Thumbnail Generator plugin for WordPress, allowing attackers to perform unauthorized actions.
You are affected if you are using kubiq PDF Thumbnail Generator versions 0.0.0 through 1.4 on your WordPress site. Upgrade to 1.5 to mitigate the risk.
Upgrade the plugin to version 1.5 or later. As a temporary workaround, implement WAF rules and input validation.
While no public exploits are currently known, the CSRF nature of the vulnerability makes it easily exploitable, so active exploitation is possible.
Refer to the kubiq website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.