CVE-2024-35649
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in the Pdfcrowd Save as PDF WordPress plugin allows attackers to inject malicious scripts into web pages. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Save as PDF plugin by Pdfcrowd
📦 What is this software?
Save As Pdf by Pdfcrowd
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over WordPress sites, deface websites, or redirect visitors to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies or credentials when users visit compromised pages, leading to account takeover and unauthorized access.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching users, preventing execution and limiting impact to data integrity issues.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited, though specific exploit details for this CVE aren't publicly documented. Attackers need some level of access to inject malicious payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Save as PDF by Pdfcrowd'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Pdfcrowd Save as PDF plugin until patched
wp plugin deactivate save-as-pdf-by-pdfcrowd
Implement WAF rules
allConfigure web application firewall to block XSS payload patterns
🧯 If You Can't Patch
- Remove or disable the Pdfcrowd Save as PDF plugin entirely
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Save as PDF by Pdfcrowd' version. If version is 3.2.3 or lower, you're vulnerable.Check Version:
wp plugin get save-as-pdf-by-pdfcrowd --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.2.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints
- Suspicious JavaScript payloads in request logs
- Multiple failed login attempts following plugin access
Network Indicators:
- Unexpected outbound connections from WordPress site
- Traffic to known malicious domains from user browsers
SIEM Query:
source="wordpress.log" AND ("save-as-pdf" OR "pdfcrowd") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://patchstack.com/database/vulnerability/save-as-pdf-by-pdfcrowd/wordpress-save-as-pdf-plugin-by-pdfcrowd-plugin-3-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/save-as-pdf-by-pdfcrowd/wordpress-save-as-pdf-plugin-by-pdfcrowd-plugin-3-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve
