<img />tag with user-supplied data you are at risk. We recommend all users update immediately. Version 5.1.3 is available via your dashboard and can also be downloaded from WordPress.org. If you’re still running v4, you will need to download 4.5.1 manually and install using FTP.
Along with the security fix, v5.1.3 resolves a false-positive caused by the mPDF font cache when using the security scanner software, chkrootkit. Instead of caching the font data in PHP files, JSON is now used. This change also ensures better compatibility with hosting providers like WP Engine.
Finally, v5.1.3 has better support for loading images in PDFs over HTTPS, as well as additional logging when images fail to load.