WordPress Security Bulletin: DK PDF 6ndash; WordPress PDF Generator Plugin Vulnerability (CVE-2025-14793)

On this page

Security Alert Summary

The DK PDF 6ndash; WordPress PDF Generator plugin contains a server-side request forgery (SSRF) vulnerability in the addContentToMpdf function. Authenticated users with author-level privileges or higher can cause the application to make arbitrary web requests originating from the site, which may allow access to or interaction with internal services.


CVE Details

  • CVE ID: CVE-2025-14793
  • Affected component: The DK PDF 6ndash; WordPress PDF Generator plugin for WordPress
  • Affected versions: All versions up to, and including, 2.3.0
  • Published: January 16, 2026 07:15:54 AM UTC
  • Last modified: January 16, 2026 03:55:12 PM UTC
  • CVSS v3.1: Base Score 5.0, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • Authentication / privileges / user interaction: Authenticated attacker required; description specifies author level and above. CVSS privileges required: LOW. User interaction: NONE.
  • Primary impact: Confidentiality: Low; Integrity: None; Availability: None
  • CWE / weakness: CWE-918 (Server-Side Request Forgery)

Technical Details

The vulnerability is a server-side request forgery (SSRF) originating in the plugin’s addContentToMpdf function. By supplying input that reaches this function, an authenticated user with author-level privileges or higher can cause the web application to initiate HTTP requests to arbitrary locations. Those requests originate from the server running WordPress, which can allow interaction with internal-only endpoints or services reachable from the host.

The CVE description explicitly identifies addContentToMpdf as the vulnerable code path. The issue exists because user-controlled data can be used to trigger outbound requests without sufficient validation or restriction, enabling SSRF-style queries against internal or external hosts.


How This Could Impact Your Website

Consider a site with multiple users: the site owner, internal staff who manage content, and external contractors or contributors given author-level access. If an author or a misused contributor account is used to exploit this vulnerability, an attacker could have the site make requests to internal services (for example, services bound to localhost or private IP ranges) and gather limited information from those endpoints. That information could include internal endpoints or metadata and, depending on internal services, potentially user contact information or other low-sensitivity data consistent with the CVSS confidentiality impact.

Practical consequences include increased risk of targeted phishing or social engineering if internal email addresses or service endpoints are exposed. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (no patched version is specified in the CVE entry).
  • Review and reduce unnecessary user roles and permissions, especially accounts with author-level access or higher.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and logs for unusual behavior, such as unexpected outbound requests originating from the web application.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References