平台
wordpress
组件
pdf-thumbnail-generator
修复版本
1.4.1
CVE-2025-67469 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the kubiq PDF Thumbnail Generator plugin for WordPress. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of data. The vulnerability impacts versions from 0.0.0 through 1.4, and a fix is available in version 1.5.
A successful CSRF attack could allow an attacker to modify PDF thumbnail generation settings, potentially injecting malicious code or altering the appearance of thumbnails. This could lead to defacement of the website or, in more severe cases, exploitation of other vulnerabilities if the thumbnail generation process interacts with other sensitive components. The blast radius is limited to the scope of actions that can be performed through the PDF Thumbnail Generator plugin, but the impact on a compromised website can still be significant.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been released at the time of writing, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward for attackers with basic web application security knowledge. It is not currently listed on the CISA KEV catalog.
WordPress websites using the kubiq PDF Thumbnail Generator plugin, particularly those running vulnerable versions (0.0.0–1.4), are at risk. Shared hosting environments where plugin updates are not managed centrally are also at increased risk, as are websites with a large user base and a high volume of traffic.
• wordpress / composer / npm:
grep -r 'pdf-thumbnail-generator' /var/www/html/wp-content/plugins/
wp plugin list | grep pdf-thumbnail-generator• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/pdf-thumbnail-generator/ | grep -i 'csrf-token'disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade the kubiq PDF Thumbnail Generator plugin to version 1.5 or later, which contains the fix for this vulnerability. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the thumbnail generation endpoints. Additionally, ensure that all user input related to thumbnail generation is carefully validated and sanitized to prevent malicious code injection. Consider implementing CSRF tokens for all critical actions within the plugin.
更新到 1.5 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-67469 is a Cross-Site Request Forgery (CSRF) vulnerability in the kubiq PDF Thumbnail Generator plugin for WordPress, allowing attackers to perform unauthorized actions.
You are affected if you are using kubiq PDF Thumbnail Generator versions 0.0.0 through 1.4 on your WordPress site. Upgrade to 1.5 to mitigate the risk.
Upgrade the plugin to version 1.5 or later. As a temporary workaround, implement WAF rules and input validation.
While no public exploits are currently known, the CSRF nature of the vulnerability makes it easily exploitable, so active exploitation is possible.
Refer to the kubiq website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。