Plataforma
wordpress
Componente
pdf-creator-lite
Corregido en
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the PDF Creator Lite WordPress plugin. This flaw allows attackers to trigger Stored XSS attacks, potentially compromising user accounts and website integrity. The vulnerability affects versions from 0.0.0 up to and including 1.2. A fix is available through plugin updates.
The CSRF vulnerability in PDF Creator Lite allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation can lead to the injection of malicious JavaScript code, resulting in Stored Cross-Site Scripting (XSS). This means the attacker's script is stored on the server and executed whenever a user visits a vulnerable page. The impact ranges from session hijacking and defacement to the theft of sensitive user data, including credentials and personal information. Attackers could also leverage this to distribute malware or redirect users to phishing sites.
CVE-2025-49341 was publicly disclosed on 2025-12-09. Currently, no public proof-of-concept (POC) code has been released, but the CSRF/XSS combination is a well-understood attack pattern. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates on exploitation attempts.
WordPress websites utilizing the PDF Creator Lite plugin, particularly those running older, unpatched versions (0.0.0–1.2), are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the necessary updates. Sites with user-generated content processed by the plugin are especially susceptible.
• wordpress / composer / npm:
grep -r "PDF Creator Lite" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "PDF Creator Lite"• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/pdf-creator-lite/ | grep -i 'X-Frame-Options'disclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-49341 is to immediately update the PDF Creator Lite plugin to a version that addresses the CSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, restrict access to sensitive plugin functionalities and carefully review any user-submitted content that is processed by the plugin. Regularly scan your WordPress installation for vulnerable plugins using security plugins or vulnerability scanners.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y aplique mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-49341 is a Cross-Site Request Forgery (CSRF) vulnerability in the PDF Creator Lite WordPress plugin, allowing for Stored XSS attacks. It affects versions 0.0.0 through 1.2.
If you are using PDF Creator Lite plugin versions 0.0.0 to 1.2 on your WordPress site, you are potentially affected by this vulnerability.
The recommended fix is to update the PDF Creator Lite plugin to the latest available version that addresses the CSRF vulnerability. Check the WordPress plugin repository for updates.
While no public exploits are currently known, the CSRF/XSS combination is a common attack vector, so active exploitation is possible.
Check the official PDF Creator Lite plugin page on the WordPress plugin repository or the developer's website for the advisory.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.