WordPress Plugin Vulnerabilities

Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)

Description

Multiple plugins were found to be vulnerable to the Dompdf unauthenticated Local File Inclusion (LFI) vulnerability (CVE-2014-2383).

Proof of Concept

Affects Plugins

Plugin icon
web-portal-lite-client-portal-secure-file-sharing-private-messaging
No known fix
Plugin icon
buddypress-component-stats
No known fix
Plugin icon
abstract-submission
No known fix
Plugin icon
post-pdf-export
No known fix
Plugin icon
blogtopdf
No known fix
Plugin icon
gboutique
No known fix
Plugin icon
wp-ecommerce-shop-styling
No known fix

References

CVE
CVE-2014-2383
URL
https://github.com/dompdf/dompdf

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher
Random Robbie
Submitter twitter
Random_Robbie
Verified
Yes
WPVDB ID
1d64d0cb-6b71-47bb-8807-7c8350922582

Timeline

Publicly Published
2020-03-24 (about 5 years ago)
Added
2020-03-25 (about 5 years ago)
Last Updated
2020-03-26 (about 5 years ago)

Other

Published
Title
Published
2024-08-15
Title
JetElements < 2.6.20.1 - Authenticated (Contributor+) Arbitrary Local File Inclusion
Published
2022-03-30
Title
Videos sync PDF <= 1.7.4 - Unauthenticated LFI
Published
2025-05-30
Title
Newsletters < 4.10 - Authenticated (Administrator+) Local File Inclusion
Published
2025-07-25
Title
Kallyas < 4.22.0 - Authenticated (Contributor+) Arbitrary Folder Deletion
Published
2024-07-03
Title
Elementor Addons by Livemesh < 8.4.1 - Authenticated (Contributor+) Limited Local File Inclusion via Widgets