CVE-2021-4416

Name of the Vulnerable Software and Affected Versions wp-mpdf plugin for WordPress versions up to, and including, 3.5.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the mpdf admin savepost() function. This allows unauthenticated attackers to save post data via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link.

Recommendations For wp-mpdf plugin for WordPress versions up to, and including, 3.5.1, update to a version higher than 3.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the mpdf admin savepost() function until a patch is available.