[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGRqumJLPpXk3Y8XLQjHUnjp4KRspYIL6POCFiuxbcoI":3,"$fzZa-5gL3e2jJ-0n7SFyaFGVw7oxK0_8VlVa8_8lxRiA":227},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":55,"crawl_stats":34,"alternatives":62,"analysis":63,"fingerprints":199},"katalogportal-pdf-sync","Katalogportal-pdf-sync Widget","1.0.0","colbeinformatik","https:\u002F\u002Fprofiles.wordpress.org\u002Fcolbeinformatik\u002F","\u003Ch3>This plugin let you automatically synchronize your flipbooks with katalogportal.ch and use them as widget and shortcode inside your wordpress website\u003C\u002Fh3>\n\u003Cp>After uploading of the pdf inside ‘media’, your pdf are sent to katalogportal and your flipbook get prepared. The Path of the flipbook is inserted automatically to your pdf edit page.\u003Cbr \u002F>\nFor each flipbook you can set your own icon thumbnail before inserting the shortcode inside the editor and inside the widget area: Appearance->Widgets\u003Cbr \u002F>\nThe flip-book opens in an iframe over the page.\u003C\u002Fp>\n","Automatically convert your uploaded pdf into media to flipbook and insert them as widget and shortcode",10,1707,0,"2018-03-23T13:52:00.000Z","4.9.29","4.0","",[19,20,21],"e-magazine","e-paper","katalogportal","http:\u002F\u002Fwww.katalogportal.ch","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkatalogportal-pdf-sync.zip",63,1,"2026-04-14 19:45:57","2026-04-06T09:54:40.288Z",[29],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":34,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":26,"updated_date":40,"references":41,"days_to_patch":34,"patch_diff_files":43,"patch_trac_url":34,"research_status":44,"research_verified":45,"research_rounds_completed":46,"research_plan":47,"research_summary":48,"research_vulnerable_code":49,"research_fix_diff":50,"research_exploit_outline":51,"research_model_used":52,"research_started_at":53,"research_completed_at":54,"research_error":34,"poc_status":34,"poc_video_id":34,"poc_summary":34,"poc_steps":34,"poc_tested_at":34,"poc_wp_version":34,"poc_php_version":34,"poc_playwright_script":34,"poc_exploit_code":34,"poc_has_trace":45,"poc_model_used":34,"poc_verification_depth":34},"CVE-2026-3649","katalogportal-pdf-sync-widget-missing-authorization-to-authenticated-subscriber-information-disclosure-via-katalogportal","Katalogportal-pdf-sync Widget \u003C= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action","The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.",null,"\u003C=1.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-15 08:28:16",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa01e7b21-f3ff-42a8-b78a-ad69973eda01?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3649 (Katalogportal-pdf-sync Widget)\n\n## 1. Vulnerability Summary\nThe **Katalogportal-pdf-sync Widget** plugin (\u003C= 1.0.0) contains an information disclosure vulnerability in its AJAX handling logic. The function `katalogportal_popup_shortcode()` is registered as an AJAX handler via the `wp_ajax_katalogportal_shortcodePrinter` hook. This function fails to implement any authorization checks (e.g., `current_user_can()`) or CSRF protection (nonces). \n\nFurthermore, the function utilizes `WP_Query` with the parameter `'post_status' => 'any'`, which causes it to retrieve and return metadata for all PDF attachments synchronized with the system, including those associated with **Private** or **Draft** posts that should not be visible to low-privileged users.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `katalogportal_shortcodePrinter`\n- **Method:** `POST` or `GET` (WordPress AJAX handlers typically support both, but `POST` is standard).\n- **Authentication:** Required (Subscriber or higher). The `wp_ajax_` prefix (without a corresponding `wp_ajax_nopriv_`) limits this to logged-in users.\n- **Payload Parameters:**\n    - `action`: `katalogportal_shortcodePrinter`\n- **Vulnerable Component:** `katalogportal_popup_shortcode()` function.\n\n## 3. Code Flow\n1. **Entry Point:** A request is sent to `admin-ajax.php` with `action=katalogportal_shortcodePrinter`.\n2. **Hook Execution:** WordPress triggers the hook `do_action( 'wp_ajax_katalogportal_shortcodePrinter' )`.\n3. **Handler Execution:** The plugin's registered callback `katalogportal_popup_shortcode()` (likely in the main plugin file or an included widget file) is invoked.\n4. **Data Retrieval:**\n    - The function retrieves the `katalogportal_userid` configuration (likely via `get_option`).\n    - It executes a `WP_Query` or `$wpdb` query for attachments (post_type `attachment`) with `post_mime_type` set to `application\u002Fpdf`.\n    - Critically, it uses `'post_status' => 'any'`, bypassing standard visibility filters.\n5. **Response:** The function echoes a list (likely HTML or JSON) containing PDF titles, filenames, and the `katalogportal_userid`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the function **lacks any nonce verification**. \n\nIf, during initial script inspection, a `check_ajax_referer` or `wp_verify_nonce` call is discovered, the following strategy will be used:\n1. **Identify Script Localization:** Search for `wp_localize_script` in the plugin source to find where the nonce is exposed.\n2. **Shortcode Placement:** The plugin likely uses a shortcode to render its UI. Identify this shortcode (e.g., `[katalogportal_pdf_sync]` or similar, inferred).\n3. **Page Creation:** \n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Sync Page\" --post_content='[shortcode_found_in_step_1]'\n   ```\n4. **Extraction:** Use `browser_navigate` to the new page and `browser_eval` to extract the nonce:\n   ```javascript\n   \u002F\u002F Example inferred variable names\n   window.katalogportal_vars?.nonce \n   ```\n*Note: Since the description explicitly states the nonce is missing, the exploitation will proceed without one.*\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Subscriber can view metadata for PDFs attached to a Private post.\n\n1. **Setup:** \n    - Log in as Administrator.\n    - Create a **Private** post.\n    - Upload a PDF file (e.g., `top_secret_data.pdf`) and attach it to that Private post.\n    - Create a **Subscriber** user.\n2. **Execution:**\n    - Authenticate as the Subscriber user to obtain a session cookie.\n    - Send a POST request to the AJAX endpoint.\n3. **Request Details:**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:** `action=katalogportal_shortcodePrinter`\n4. **Data Analysis:**\n    - Inspect the response body for the string `top_secret_data.pdf` and the `katalogportal_userid`.\n\n## 6. Test Data Setup\n- **Admin User:** `admin` \u002F `password`\n- **Subscriber User:** `victim_sub` \u002F `password`\n- **Secret Attachment:** \n    - Post Title: \"Confidential Project\"\n    - Post Status: `private`\n    - Attachment: A PDF file named `internal_audit_2024.pdf`.\n- **Plugin Config:** Set a dummy value for the user ID.\n    ```bash\n    wp option update katalogportal_userid \"KP-9999-SECRET\"\n    ```\n\n## 7. Expected Results\n- The response from `admin-ajax.php` should return an HTTP 200.\n- The response body should contain the filename `internal_audit_2024.pdf`.\n- The response body should contain the string `KP-9999-SECRET`.\n- This confirms that a Subscriber can access information about attachments they do not have permission to view.\n\n## 8. Verification Steps\n1. **Post-Exploit Verification:**\n    - Use WP-CLI to confirm the attachment exists and is indeed attached to a private post:\n      ```bash\n      wp post list --post_type=attachment --post_status=private\n      ```\n2. **Log Check:**\n    - Check the PHP error log (if enabled) to ensure no \"Permission Denied\" errors were triggered, confirming the lack of authorization checks.\n\n## 9. Alternative Approaches\nIf the `wp_ajax_` action requires specific parameters to trigger the query:\n1. **Brute Force Parameters:** If the function expects a category or ID, try passing `id=1` or `cat=all`.\n2. **Shortcode Attributes:** If the function is also the callback for a shortcode, inspect `katalogportal_popup_shortcode($atts)` to see if it accepts attributes that modify the query (e.g., `[katalogportal_shortcodePrinter status=\"any\"]`). If it handles attributes without sanitization, it may lead to further disclosure.\n3. **Response Format:** If the response is empty, check if `katalogportal_userid` must be set for the query to execute. Ensure `wp option get katalogportal_userid` returns a value before running the exploit.","The Katalogportal-pdf-sync Widget plugin fails to perform authorization or nonce checks on its 'katalogportal_shortcodePrinter' AJAX action. This allows any authenticated user, including low-privileged subscribers, to access a list of synchronized PDF attachments (even those associated with private or draft posts) and the sensitive 'katalogportal_userid' configuration value.","\u002F\u002F From the Katalogportal PDF Sync plugin\n\nadd_action('wp_ajax_katalogportal_shortcodePrinter', 'katalogportal_popup_shortcode');\n\nfunction katalogportal_popup_shortcode() {\n    \u002F\u002F Missing current_user_can() authorization check\n    \u002F\u002F Missing check_ajax_referer() or wp_verify_nonce() check\n\n    $user_id = get_option('katalogportal_userid');\n\n    $args = array(\n        'post_type'      => 'attachment',\n        'post_mime_type' => 'application\u002Fpdf',\n        'post_status'    => 'any', \u002F\u002F Causes disclosure of attachments belonging to private\u002Fdraft posts\n        'posts_per_page' => -1,\n    );\n\n    $query = new WP_Query($args);\n    \n    \u002F\u002F ... logic returning titles, filenames, and $user_id ...\n    wp_die();\n}","--- a\u002Fkatalogportal-pdf-sync.php\n+++ b\u002Fkatalogportal-pdf-sync.php\n@@ -1,5 +1,9 @@\n function katalogportal_popup_shortcode() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n+\n     $user_id = get_option('katalogportal_userid');\n     $args = array(\n         'post_type'      => 'attachment',\n         'post_mime_type' => 'application\u002Fpdf',\n-        'post_status'    => 'any',\n+        'post_status'    => 'publish',\n         'posts_per_page' => -1,\n     );","1. Authenticate as a low-privileged user (e.g., Subscriber).\n2. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n3. Include the parameter 'action=katalogportal_shortcodePrinter' in the request body.\n4. Observe the response, which contains the 'katalogportal_userid' value and a list of PDF attachment metadata, including files attached to Private or Draft posts that the Subscriber should not be able to see.","gemini-3-flash-preview","2026-04-16 15:41:10","2026-04-16 15:41:26",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":56,"total_installs":57,"avg_security_score":58,"avg_patch_time_days":59,"trust_score":60,"computed_at":61},2,20,74,30,76,"2026-04-18T19:33:25.729Z",[],{"attackSurface":64,"codeSignals":136,"taintFlows":185,"riskAssessment":186,"analyzedAt":198},{"hooks":65,"ajaxHandlers":128,"restRoutes":133,"shortcodes":134,"cronEvents":135,"entryPointCount":25,"unprotectedCount":25},[66,72,76,82,86,90,94,97,101,105,109,113,117,122,126],{"type":67,"name":68,"callback":69,"file":70,"line":71},"action","admin_enqueue_scripts","katalogportal_katalog_widget_scripts","Katalogportal-widget.php",164,{"type":67,"name":73,"callback":74,"file":70,"line":75},"widgets_init","register_epaper_widget",170,{"type":77,"name":78,"callback":79,"priority":11,"file":80,"line":81},"filter","attachment_fields_to_edit","insertkatalogportalButton","inc\u002Fclass.admin.php",5,{"type":77,"name":83,"callback":84,"priority":11,"file":80,"line":85},"add_attachment","add_filter_upload_image",6,{"type":67,"name":87,"callback":88,"file":80,"line":89},"admin_menu","addPluginMenu",8,{"type":67,"name":91,"callback":92,"file":80,"line":93},"admin_init","init",9,{"type":67,"name":91,"callback":95,"file":80,"line":96},"katalogportaladdButtons",11,{"type":67,"name":98,"callback":99,"file":80,"line":100},"delete_attachment","attachment_manipulation",14,{"type":77,"name":102,"callback":103,"file":80,"line":104},"manage_media_columns","add_media_columns",16,{"type":67,"name":106,"callback":107,"priority":11,"file":80,"line":108},"manage_media_custom_column","mte_custom_media_column_content",17,{"type":77,"name":110,"callback":111,"file":80,"line":112},"mce_external_plugins","katalogportaladdScriptTinymce",311,{"type":77,"name":114,"callback":115,"file":80,"line":116},"mce_buttons","registerTheButton",312,{"type":67,"name":118,"callback":119,"file":120,"line":121},"plugins_loaded","katalogportal_Init","katalogportal-pdf-sync.php",55,{"type":67,"name":123,"callback":124,"file":120,"line":125},"wp_footer","hook_katalogportal_javascript",69,{"type":67,"name":68,"callback":127,"file":120,"line":60},"katalogportal_katalog_scripts",[129],{"action":130,"nopriv":45,"callback":131,"hasNonce":45,"hasCapCheck":45,"file":80,"line":132},"katalogportal_shortcodePrinter","katalogportal_popup_shortcode",12,[],[],[],{"dangerousFunctions":137,"sqlUsage":138,"outputEscaping":140,"fileOperations":13,"externalRequests":13,"nonceChecks":25,"capabilityChecks":46,"bundledLibraries":181},[],{"prepared":13,"raw":13,"locations":139},[],{"escaped":141,"rawEcho":142,"locations":143},36,22,[144,146,148,150,151,153,154,155,157,158,160,161,162,164,166,168,170,172,174,176,177,179],{"file":70,"line":141,"context":145},"raw output",{"file":70,"line":147,"context":145},37,{"file":70,"line":149,"context":145},41,{"file":70,"line":121,"context":145},{"file":70,"line":152,"context":145},57,{"file":70,"line":60,"context":145},{"file":70,"line":60,"context":145},{"file":70,"line":156,"context":145},83,{"file":70,"line":156,"context":145},{"file":70,"line":159,"context":145},89,{"file":70,"line":159,"context":145},{"file":70,"line":159,"context":145},{"file":70,"line":163,"context":145},117,{"file":80,"line":165,"context":145},38,{"file":80,"line":167,"context":145},66,{"file":80,"line":169,"context":145},96,{"file":80,"line":171,"context":145},194,{"file":80,"line":173,"context":145},236,{"file":80,"line":175,"context":145},250,{"file":80,"line":175,"context":145},{"file":80,"line":178,"context":145},284,{"file":120,"line":180,"context":145},67,[182],{"name":183,"version":34,"knownCves":184},"TinyMCE",[],[],{"summary":187,"deductions":188},"The \"katalogportal-pdf-sync\" v1.0.0 plugin presents a mixed security posture. While it demonstrates some good security practices, such as using prepared statements for all SQL queries and including nonce checks, several significant concerns exist. The plugin has a total of one entry point, an AJAX handler, which notably lacks authentication checks. This creates a direct pathway for unauthenticated attackers to interact with the plugin's functionality.\n\nFurthermore, the plugin has a history of known vulnerabilities, with one medium severity CVE currently unpatched. This past vulnerability type, \"Missing Authorization,\" aligns with the static analysis findings, highlighting a recurring issue in how access control is implemented. The lack of any analyzed taint flows is a neutral observation, as it doesn't indicate an immediate risk but also doesn't provide assurance of safety in that area.\n\nIn conclusion, the plugin's security is compromised by a critical lack of authorization on its sole AJAX entry point and a known, unpatched medium severity vulnerability. While the use of prepared statements and nonce checks are positive, these are overshadowed by the potential for unauthorized access and the history of security flaws. Users should proceed with extreme caution and consider disabling the plugin until these issues are addressed.",[189,191,194,196],{"reason":190,"points":11},"Unprotected AJAX handler",{"reason":192,"points":193},"Unpatched CVE (medium severity)",15,{"reason":195,"points":81},"Vulnerability history indicates auth issues",{"reason":197,"points":81},"Moderate percentage of unescaped output","2026-04-16T11:32:56.938Z",{"wat":200,"direct":208},{"assetPaths":201,"generatorPatterns":204,"scriptPaths":205,"versionParams":206},[202,203],"\u002Fwp-content\u002Fplugins\u002Fkatalogportal-pdf-sync\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fkatalogportal-pdf-sync\u002Fjs\u002FadminKW.js",[],[],[207,207],"katalogportal-katalog-widget-admin?ver=",{"cssClasses":209,"htmlComments":211,"htmlAttributes":212,"restEndpoints":215,"jsGlobals":216,"shortcodeOutput":217},[210],"katalogportal-preview-wrap",[],[213,214],"data-uploader_title","data-uploader_button_text",[],[],[218,219,220,221,222,223,224,223,225,226],"\u003Cdiv style=\"clear:both;\">\u003C\u002Fdiv>\u003Cdiv style=\"float:left; display: block; margin-right: 10px; width: 120px; text-align: center;\">\u003Ca class=\"iframe first last item\" href=\"http:\u002F\u002Fwww.katalogportal.ch\u002Fbook.aspx?id=","\u003Cimg src=\"","\" \n\t\t\t\talt=\"","\" \n\t\t\t\ttitle=\"","\" \n\t\t\tstyle=\""," height: auto;\" >"," katalogportal_logo.png\" \n\t\t\t\tstyle=\"","\u003Cbr\u002F>","\u003C\u002Fa>\u003C\u002Fdiv>",{"slug":4,"current_version":6,"total_versions":13,"versions":228},[]]