DK PDF – WordPress PDF Generator < 2.3.1 – Authenticated (Author+) Server-Side Request Forgery | CVE 2025-14793 | Plugin Vulnerabilities

Description

The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Fixed in 2.3.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Peerapat Samatathanyakorn

Verified

No

WPVDB ID

63727538-1d6f-4893-b1ad-b235b0c1af68

Timeline

Publicly Published

2026-01-15 (about 2 months ago)

Added

2026-01-15 (about 2 months ago)

Last Updated

2026-01-19 (about 2 months ago)

Other

Published

Title

Published

2024-01-08

Title

Contact Form 7 Extension For Mailchimp < 0.9.19 - Subscriber+ Server-Side Request Forgery

Published

2024-11-01

Title

Magical Addons For Elementor < 1.2.3 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2025-11-26

Title

AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.1 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter

Published

2023-09-11

Title

Crayon Syntax Highlighter <= 2.8.4 - Contributor+ Server Side Request Forgery

Published

2024-07-11

Title

WappPress < 6.0.5 - Authenticated (Subscriber+) Server-Side Request Forgery