WordPress Plugin Vulnerabilities

PDF Generator for WordPress < 1.5.5 - Missing Authorization

Description

The PDF Generator for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
pdf-generator-for-wp
Fixed in 1.5.5

References

CVE
CVE-2025-58978
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4ca43066-fcfb-4e6d-83c4-b6f0108d26ec

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tran Hoang Tuan Kiet
Verified
No
WPVDB ID
f88781de-db8d-4af6-8156-0b6d3451c084

Timeline

Publicly Published
2025-09-09 (about 9 months ago)
Added
2025-09-15 (about 9 months ago)
Last Updated
2025-09-15 (about 9 months ago)

Other

Published
Title
Published
2026-01-07
Title
GA4WP: Google Analytics for WordPress <= 2.10.0 - Missing Authorization
Published
2024-06-12
Title
Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
Published
2026-02-18
Title
SEO Plugin by Squirrly SEO < 12.4.15 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection
Published
2023-10-25
Title
WordPress CTA < 1.5.9 - Unauthenticated AJAX Actions Call
Published
2026-05-21
Title
GSheet For Woo Importer < 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset