Save as PDF Plugin by Pdfcrowd - Insecure deserialization
Summary
| Name | Save as PDF Plugin by Pdfcrowd 4.4.1 - Insecure deserialization |
| Code name | skims-26 |
| Product | Save as PDF Plugin by Pdfcrowd |
| Affected versions | Version 4.4.1 |
| State | Private |
| Release date | 2025-01-03 |
Vulnerability
| Kind | Insecure deserialization |
| Rule | Insecure deserialization |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
| Exploit available | No |
| CVE ID(s) | CVE-2025-0771 |
Description
Save as PDF Plugin by Pdfcrowd 4.4.1 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/public/class-save-as-pdf-pdfcrowd- public.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Save as PDF Plugin by Pdfcrowd 4.4.1. The following is the output of the tool:
Skims output
1556 |
1557 | if(!empty($_POST['options'])) {
1558 | $decrypted = $this->decrypt(urldecode($_POST['options']),
1559 | $options['api_key']);
1560 | if($decrypted === false) {
1561 | esc_html_e(
1562 | 'Configuration error. Refresh page and retry.',
1563 | $this->plugin_name);
1564 | wp_die();
1565 | }
> 1566 | $custom_options = unserialize($decrypted);
1567 | $options = wp_parse_args($custom_options, $options);
1568 | }
1569 |
1570 | // error_log('decrypted options:');
1571 | // error_log(print_r($options, true));
1572 |
1573 | $default_conv_mode = 'url';
1574 | if(!isset($options['url'])) {
1575 | $location = $this->get_location($options);
1576 | if($location) {
^ Col 1
Our security policy
We have reserved the ID CVE-2025-0771 to refer to this issue from now on.
System Information
- Version: Save as PDF Plugin by Pdfcrowd
4.4.1
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-01-03
Vulnerability discovered.
2025-01-03
Vendor contacted.
