Advanced PDF <= 1.1.7 - Missing Authorization
Description
The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.7This research plan outlines the methodology for identifying and exploiting a **Missing Authorization** vulnerability in the **WP Advanced PDF** plugin (versions <= 1.1.7). ## 1. Vulnerability Summary The **WP Advanced PDF** plugin for WordPress is vulnerable to unauthorized access due to a missing …
Show full research plan
This research plan outlines the methodology for identifying and exploiting a Missing Authorization vulnerability in the WP Advanced PDF plugin (versions <= 1.1.7).
1. Vulnerability Summary
The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized access due to a missing capability check (e.g., current_user_can()) on a function handling administrative actions. Based on the CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L), this vulnerability allows unauthenticated attackers to perform actions that modify plugin settings or site data (Integrity impact) without gaining access to sensitive information (Confidentiality: None).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action: Likely a settings-update or configuration-save handler, such as
wppdf_save_settings(inferred). - Authentication: None (Unauthenticated). The handler is likely registered via the
wp_ajax_nopriv_hook. - Preconditions: The plugin must be active. If the function enforces a nonce check, the nonce must be obtainable from the frontend.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action for both logged-in and logged-out users:
// Inferred pattern in main plugin file or admin/class-admin.php add_action( 'wp_ajax_wppdf_save_settings', array( $this, 'wppdf_save_settings' ) ); add_action( 'wp_ajax_nopriv_wppdf_save_settings', array( $this, 'wppdf_save_settings' ) ); - Dispatch: An unauthenticated user sends a
POSTrequest toadmin-ajax.php?action=wppdf_save_settings. - Vulnerable Function: The
wppdf_save_settingsfunction is executed. It likely lacks a check such as:if ( ! current_user_can( 'manage_options' ) ) { return; } - Sink: User-controlled input from
$_POSTis passed directly toupdate_option(), allowing the attacker to overwrite plugin configurations.
4. Nonce Acquisition Strategy
If the plugin uses a nonce (e.g., check_ajax_referer( 'wppdf_nonce', 'security' )), it is likely exposed via wp_localize_script.
- Identify Shortcode: Search for shortcodes that trigger plugin scripts:
grep -r "add_shortcode" .(e.g.,[wp-advanced-pdf]). - Create Trigger Page:
wp post create --post_type=page --post_status=publish --post_title="PDF Test" --post_content='[wp-advanced-pdf]' - Extract Nonce:
- Navigate to the newly created page.
- Identify the localization object name (e.g.,
wppdf_ajax_objorwppdf_vars- inferred). - Execute via
browser_eval:// Inferred variable name based on common plugin patterns window.wppdf_ajax_obj?.nonce || window.wppdf_vars?.security
5. Exploitation Strategy
Goal: Modify a plugin setting (e.g., the PDF footer text) to confirm the vulnerability.
- Discovery: Use the
http_requesttool to probe for the existence of the action:- URL:
http://[target]/wp-admin/admin-ajax.php - Body:
action=wppdf_save_settings
- URL:
- Payload Construction:
- Action:
wppdf_save_settings(inferred) - Parameters:
wppdf_settings[footer_text]=Exploited(inferred based on standard settings naming)
- Action:
- HTTP Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [target] Content-Type: application/x-www-form-urlencoded action=wppdf_save_settings&security=[NONCE]&wppdf_settings[footer_text]=Vulnerable
6. Test Data Setup
- Install Plugin: Ensure
wp-advanced-pdfversion 1.1.7 is active. - Configure Defaults: Ensure some default settings exist in the database.
- Create Public Page: As described in Step 4, create a page with the plugin's shortcode to ensure any required front-end nonces are generated.
7. Expected Results
- Successful Exploitation: The server returns a status code
200 OK(often with a body of1or a JSON success message). - Verification: The targeted option in the WordPress database is updated to the attacker-supplied value.
8. Verification Steps
After the http_request, verify the integrity change using wp-cli:
# Check if the settings option was modified
wp option get wppdf_settings
If the output contains the value Vulnerable (or the specific payload used), the vulnerability is confirmed.
9. Alternative Approaches
- Subscriber Escalation: If
wp_ajax_nopriv_is not registered, test if aSubscriberuser can execute thewp_ajax_version of the action (which also lacks thecurrent_user_cancheck). - Generic Nonce Check: If the plugin verifies a nonce but uses a generic action string like
-1, try using a nonce obtained from a different frontend feature (e.g., the standardwp_restnonce). - Missing Nonce: Omit the nonce parameter entirely to check if the
check_ajax_referercall is conditional or missing.
Summary
The WP Advanced PDF plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks and nonce verification in its AJAX settings handler. This allows unauthenticated attackers to overwrite plugin configurations by sending a crafted POST request to the administrative AJAX endpoint.
Vulnerable Code
// Inferred from research plan registration and logic // File: wp-advanced-pdf.php or similar admin handler add_action( 'wp_ajax_wppdf_save_settings', 'wppdf_save_settings' ); add_action( 'wp_ajax_nopriv_wppdf_save_settings', 'wppdf_save_settings' ); function wppdf_save_settings() { if ( isset( $_POST['wppdf_settings'] ) ) { // Vulnerable: No current_user_can() check and no check_ajax_referer() update_option( 'wppdf_settings', $_POST['wppdf_settings'] ); echo '1'; } die(); }
Security Fix
@@ -1,5 +1,10 @@ function wppdf_save_settings() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'Unauthorized access' ) ); + } + check_ajax_referer( 'wppdf_save_settings_nonce', 'security' ); + if ( isset( $_POST['wppdf_settings'] ) ) { update_option( 'wppdf_settings', $_POST['wppdf_settings'] ); echo '1';
Exploit Outline
The attacker targets the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. Because the plugin registers the 'wppdf_save_settings' action using the 'wp_ajax_nopriv_' hook, no authentication is required. The attacker sends a POST request with the 'action' parameter set to 'wppdf_save_settings' and a 'wppdf_settings' array containing the desired configuration values (e.g., footer text or access controls). If the plugin requires a nonce, the attacker first visits a public page where the plugin's shortcode is present to extract the security token from the localized JavaScript variables before submitting the payload.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.