CVE-2025-67469

The PDF Thumbnail Generator plugin for WordPress up to version 1.4 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw occurs because the plugin does not implement proper CSRF protections, such as nonces or token validation, on state-changing requests. A CSRF vulnerability allows an attacker to trick an authenticated administrator into unknowingly executing malicious actions, leveraging their current session. [1]

The attack surface is simple: an attacker crafts a malicious link or HTML form targeting a specific action in the plugin. If a logged-in administrator visits that crafted page or clicks the link, the browser sends a request on their behalf, the attacker can force the execution of unwanted actions under the administrator's identity — all without the administrator's knowledge. No cross-site scripting is required, but the victim user must have sufficient privileges to trigger the vulnerable action. [1]

The impact of successful exploitation includes unauthorized modifications of the plugin's settings or actions, potentially leading to further compromise of the site. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the requirement that the victim have elevated privileges. [1]

The vulnerability has been addressed in version 1.5 of the plugin. Users are strongly advised to update immediately or enable automatic updates via Patchstack. No other workarounds are documented, and the vendor considers this a low-severity, unlikely-to-be-exploited issue, though CSRF vulnerabilities are known targets in broad Web attacks. [1]