E2Pdf < 1.20.20 – Admin+ Stored Cross-Site Scriping | CVE 2023-5229

Description

The plugin does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

1) Create a new template on https://vulnerable-site.tld/wp-admin/admin.php?page=e2pdf-templates.

In the popup, select "Empty PDF.". In the "Title" input field, inject the following JavaScript payload:

<script>alert("Tested by iduzzel");</script>

Click the "Save" button to save the template.

2) Return to the templates listing, and click on the "Backup" option for the template you created.

The popup will appear at the following URL, indicating the vulnerable page:
http://vulnerable-site.tld/wp-admin/admin.php?page=e2pdf-templates&action=backup&id=6 (or id=1 for the first attempt).

Other pages are affected as well, including:
- https://vulnerable-site.tld/wp-admin/admin.php?page=e2pdf
- https://vulnerable-site.tld/wp-admin/admin.php?page=e2pdf&action=bulk