CVE-2021-4416 in wp-mpdf Plugininfo

Summary

by MITRE • 07/12/2023

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the mpdf_admin_savepost() function. This makes it possible for unauthenticated attackers to save post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The wp-mpdf plugin for WordPress represents a widely used tool that enables users to generate pdf documents from wordpress posts and pages through a simple shortcode. This plugin has been identified as vulnerable to a cross-site request forgery vulnerability in versions up to and including 3.5.1, which creates a significant security risk for wordpress installations. The vulnerability stems from the absence of proper nonce validation within the mpdf_admin_savepost() function, a critical security mechanism that should prevent unauthorized modifications to wordpress content. The flaw specifically affects the plugin's administrative functionality where post data can be saved through forged requests without proper authentication verification.

The technical implementation of this vulnerability lies in the missing or incorrect nonce validation process that should occur within the mpdf_admin_savepost() function. Nonce validation is a fundamental security pattern that generates a unique token for each user session that must be verified before any administrative action can be processed. In this case, the plugin fails to validate the nonce parameter that should be present in all administrative requests, allowing attackers to craft malicious requests that appear to originate from legitimate administrative sessions. This vulnerability operates under the common weakness classification of CWE-352, which specifically addresses cross-site request forgery flaws in web applications. The attack vector requires minimal privileges as the vulnerability does not require authentication to exploit, making it particularly dangerous as it can be leveraged by unauthenticated attackers.

The operational impact of this vulnerability extends beyond simple data modification, as it allows attackers to manipulate content and potentially inject malicious code into wordpress posts through forged administrative requests. When an administrator clicks on a malicious link or visits a compromised website, the forged request can execute without proper authorization, potentially leading to content injection, data manipulation, or even privilege escalation within the wordpress environment. This type of vulnerability can be exploited through social engineering techniques where administrators are tricked into visiting malicious websites or clicking on infected links, making it particularly challenging to detect and prevent. The exploitation of this vulnerability aligns with attack techniques documented in the attack tree under the MITRE ATT&CK framework for privilege escalation and credential access through web application vulnerabilities.

The mitigation strategy for this vulnerability requires immediate patching of the wp-mpdf plugin to version 3.5.2 or later, where the nonce validation has been properly implemented. System administrators should also consider implementing additional security measures such as monitoring for suspicious administrative requests and ensuring that all wordpress plugins are kept up to date with the latest security patches. The vulnerability can be addressed through proper input validation and the implementation of robust session management practices that ensure all administrative functions require proper authentication tokens. Organizations should also consider implementing web application firewalls and security monitoring solutions that can detect and block suspicious administrative requests that do not contain proper nonce validation tokens. The remediation process should include verification that the plugin's administrative functions properly validate nonces and that no other similar vulnerabilities exist within the plugin's codebase, ensuring that the overall security posture of the wordpress installation is maintained against similar cross-site request forgery threats.

Responsible

Wordfence

Reservation

07/11/2023

Disclosure

07/12/2023

Moderation

accepted

CPE

ready

EPSS

0.00345

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!