PDF Signer 3.0 contains a critical server-side template injection flaw (CVSS 9.8) that lets unauthenticated attackers execute arbitrary PHP through the CSRF-TOKEN cookie, fully compromising affected servers.
What Is It
CVE-2019-25729 is a server-side template injection (SSTI) vulnerability in PDF Signer 3.0, a commercial PHP application sold on CodeCanyon for creating digital signatures and signing PDF documents online. The flaw lives in the application's handling of the CSRF-TOKEN cookie parameter: attacker-supplied cookie values are passed into template rendering without sanitization, allowing injection of PHP constructs such as shell_exec() to run arbitrary system commands. The underlying weakness is server-side template injection (CWE-1336, a subclass of CWE-94 Code Injection); the issue is exploitable over the network with low complexity and no authentication or user interaction.
Why It Matters
The vulnerability scores 9.8 CRITICAL on CVSSv3.1 and 9.3 CRITICAL on CVSSv4.0, with high impact across confidentiality, integrity, and availability. Because the injection vector is a cookie, exploitation requires nothing more than an HTTP request with a crafted header; no login, no victim interaction. Successful attacks yield arbitrary command execution as the web service user, enabling retrieval of sensitive files, lateral movement, or full server takeover. A public proof-of-concept has been available on Exploit-DB (EDB-ID 46276) since the original 2019 disclosure window, lowering the bar for opportunistic exploitation. This CVE is not currently listed in the CISA KEV catalog, so active in-the-wild exploitation has not been confirmed by CISA at this time.
What's Vulnerable
- Product: PDF Signer ("Signer - Create Digital Signatures and Sign PDF Documents Online") distributed via CodeCanyon by vendor
simcy_creative. - Affected version: 3.0 (as stated in the NVD description).
- Attack surface: Any internet-reachable deployment of the PDF Signer web application processing the
CSRF-TOKENcookie.
Patch Status
The NVD record lists no patched version and no vendor advisory. The references point to the CodeCanyon product page, the vendor profile, the original Exploit-DB entry, and the VulnCheck advisory; no fixed build is identified. Operators running PDF Signer 3.0 should treat the deployment as unpatched: take affected instances offline, restrict network access, and contact the vendor before returning the service to production. Monitor the VulnCheck advisory and CodeCanyon listing for an official fix.