CVE-2021-4416: 
WordPress vulnerability analysis and mitigation

The wp-mpdf plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2021-4416, affecting versions up to and including 3.5.1. The vulnerability was discovered by Jerome Bruandet of NinTechNet and was publicly disclosed on June 21, 2021. The issue affects the mpdfadminsavepost() function due to missing or incorrect nonce validation (CVE MITRE).

The vulnerability stems from improper implementation of CSRF protection mechanisms in the wp-mpdf WordPress plugin. Specifically, the mpdfadminsavepost() function lacks proper nonce validation, which is a crucial security measure for preventing CSRF attacks. The vulnerability has been assigned a CVSS score of 4.3 (Medium), indicating a moderate severity level (Wordfence).

The vulnerability allows unauthenticated attackers to save post data through forged requests if they can successfully trick a site administrator into performing specific actions, such as clicking on a malicious link. This could potentially lead to unauthorized data manipulation on the affected WordPress sites (WPScan).

The vulnerability has been fixed in version 3.5.2 of the wp-mpdf plugin. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks (WPScan).