DK PDF WordPress PDF Generator Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the DK PDF - WordPress PDF Generator plugin, affecting all versions through 2.3.0. The vulnerability arises in the 'addContentToMpdf' function, allowing authenticated attackers with author-level access or higher to make web requests to arbitrary locations. This could be exploited to query and modify information from internal services.

Impact

Exploitation of this vulnerability could lead to unauthorized web requests being made from the WordPress application to internal services, potentially allowing attackers to access or modify sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with author-level access or higher can use the DK PDF - WordPress PDF Generator plugin to generate a PDF. During this process, the 'addContentToMpdf' function is called, which contains the server-side request forgery vulnerability. The plugin's PDF generation feature can be accessed through the WordPress admin panel or by using a shortcode, depending on the site's configuration.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.