CVE-2025-14793 - Vulnerability Details

- DK PDF – WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery

Description

The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Published: 2026-01-16

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The DK PDF – WordPress PDF Generator plugin contains a server‑side request forgery flaw in its addContentToMpdf function. An authenticated user with author privileges or higher can supply arbitrary URLs, causing the plugin to issue web requests from the application server. This can allow the attacker to interrogate or modify data on internal services, potentially exposing sensitive configuration, credentials, or enabling further internal attacks. The weakness is classed as CWE‑918.

Affected Systems

The vulnerability affects the DK PDF – WordPress PDF Generator plugin distributed by torstenbulk for WordPress. All releases up to and including version 2.3.0 are impacted; newer versions beyond 2.3.0 are not listed as affected.

Risk and Exploitability

The CVSS score of 5 indicates a moderate severity. The EPSS score of less than 1% signals a very low probability of exploitation at the time of analysis, and the flaw is not currently listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with author-level access or higher and to submit a request that triggers the vulnerable function. The potential impact is primarily internal network compromise rather than direct code execution on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

torstenbulk

DK PDF – WordPress PDF Generator

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.3.0

No data.

Vendor	Product	Confidence	Versions
Torstenbulk	Dk Pdf	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the DK PDF – WordPress PDF Generator plugin to the latest version released after 2.3.0.
If an upgrade is not immediately possible, remove author or higher privileges from users who can install or configure the plugin, limiting the exposed authority level.
Implement network segmentation or firewall rules that restrict outbound HTTP/HTTPS traffic from the WordPress server to internal addresses, thereby blocking the plugin’s ability to reach internal resources.

Generated by OpenCVE AI on April 20, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213
https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134
https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22
https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440588%40dk-pdf&new=3440588%40dk-pdf&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve

History

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440588%40dk-pdf&new=3440588%40dk-pdf&sfp_email=&sfph_mail=

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Torstenbulk Torstenbulk dk Pdf Wordpress Wordpress wordpress
Vendors & Products		Torstenbulk Torstenbulk dk Pdf Wordpress Wordpress wordpress
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title		DK PDF – WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24 https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}`

Subscriptions

Torstenbulk Dk Pdf

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-16T06:43:21.806Z

Updated: 2026-04-08T17:15:53.689Z

Reserved: 2025-12-16T17:23:52.261Z

Link: CVE-2025-14793

Vulnrichment

Updated: 2026-01-16T13:51:05.755Z

NVD

Status : Deferred

Published: 2026-01-16T07:15:54.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14793

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object