BSK PDF Manager <= 3.7.2 - Unauthenticated Information Exposure
Description
The BSK PDF Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=3.7.2Since the source code for the BSK PDF Manager plugin is not provided, this plan is based on the vulnerability description for **CVE-2026-39686** (Information Exposure) and standard architectural patterns found in the **BSK PDF Manager** plugin (versions <= 3.7.2). ### 1. Vulnerability Summary The *…
Show full research plan
Since the source code for the BSK PDF Manager plugin is not provided, this plan is based on the vulnerability description for CVE-2026-39686 (Information Exposure) and standard architectural patterns found in the BSK PDF Manager plugin (versions <= 3.7.2).
1. Vulnerability Summary
The BSK PDF Manager plugin for WordPress is vulnerable to unauthenticated sensitive information exposure. This occurs because certain AJAX handlers registered via wp_ajax_nopriv_ hooks do not implement sufficient capability checks or fail to properly validate nonces, allowing any user (including those not logged in) to query and retrieve data about the PDF library, categories, and potentially system paths or user-related metadata.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
bsk_pdf_manager_load_pdfs_by_category(inferred based on plugin pagination/loading logic) - Alternative Action:
bsk_pdf_manager_load_pdfs_by_tagorbsk_pdf_manager_list_pdf_files. - Parameter:
category_id(integer) ortag_id. - Authentication: None required (Targeting
wp_ajax_nopriv_actions). - Preconditions: At least one PDF must be uploaded and assigned to a category or tag in the plugin.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX handler in its main initialization file (likely
bsk-pdf-manager.phpor an includedinc/bsk-pdf-manager-ajax.php) using:add_action( 'wp_ajax_nopriv_bsk_pdf_manager_load_pdfs_by_category', 'bsk_pdf_manager_load_pdfs_by_category_callback' ); - Lack of Validation: The callback function
bsk_pdf_manager_load_pdfs_by_category_callbackexecutes without callingcurrent_user_can()or verifying a nonce that is strictly bound to an authenticated session. - Data Retrieval: The function accepts a
category_idfrom$_POSTor$_GET. It queries the database for PDF records matching that ID. - Exposure: The function returns a JSON response or HTML block containing PDF titles, internal file IDs, and potentially direct links to PDF files that were intended to be restricted or hidden.
4. Nonce Acquisition Strategy
The BSK PDF Manager typically enqueues a script that localizes a nonce for its AJAX operations.
- Identify Shortcode: The plugin uses shortcodes like
[bsk-pdf-manager-list-category id="1"]to display PDF lists. - Create Trigger Page: Create a public post containing the shortcode to ensure the plugin's JavaScript and nonces are loaded.
wp post create --post_type=page --post_status=publish --post_title="PDF Test" --post_content='[bsk-pdf-manager-list-category id="1"]'
- Navigate and Extract: Use the browser tool to visit the page and extract the nonce from the global JavaScript object.
- JS Object Name (inferred):
bsk_pdf_manager_ajax_object - Nonce Key (inferred):
ajax_nonce - Command:
browser_eval("window.bsk_pdf_manager_ajax_object?.ajax_nonce")
- JS Object Name (inferred):
5. Exploitation Strategy
We will attempt to trigger the info exposure by calling the AJAX action directly via an unauthenticated HTTP request.
Step 1: Discover Categories
If the category_id is unknown, we can brute-force IDs from 1 to 20 to find valid PDF lists.
Step 2: Execute Request
- Tool:
http_request - Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: The nonce parameter nameaction=bsk_pdf_manager_load_pdfs_by_category&category_id=1&bsk_pdf_manager_list_pdf_files_nonce=[NONCE]bsk_pdf_manager_list_pdf_files_nonceis inferred from the plugin's known naming conventions; check JS localization for exact key).
Step 3: Analyze Response
Look for a JSON array or HTML table containing:
- PDF file names
- Internal WordPress attachment IDs
- Upload dates
- File size or specific metadata
6. Test Data Setup
To confirm the exposure, we must have data to expose.
- Create Category:
wp term create bsk_pdf_manager_cat "Secret PDFs" - Upload PDF: Use the WordPress media library or the plugin's dashboard to upload a PDF.
- Assign PDF: Ensure the PDF is assigned to the "Secret PDFs" category.
- Find Category ID: Use
wp term list bsk_pdf_manager_cat --fields=term_idto get the ID for the exploit.
7. Expected Results
A successful exploit will return a 200 OK response with a body containing the details of PDFs that should not be visible to an unauthenticated visitor. This confirms "Information Exposure" because the attacker can map the internal PDF library without permission.
8. Verification Steps
After the HTTP request, verify the leaked data matches the database:
- Check Terms:
wp term list bsk_pdf_manager_cat - Check Plugin Table:
wp db query "SELECT * FROM wp_bsk_pdf_manager_pdfs"(assuming standard table naming) and compare the results to the HTTP response.
9. Alternative Approaches
If bsk_pdf_manager_load_pdfs_by_category is not the vulnerable action:
- Search for other
noprivactions: Usegrep -r "wp_ajax_nopriv_" wp-content/plugins/bsk-pdf-manager/to find all entry points. - Target the Export Feature: Check if
bsk_pdf_manager_pdf_export_csvis registered as anoprivaction. This often leads to massive data exposure in PDF management plugins. - Direct Category Query: Check if the category list itself is exposed via
action=bsk_pdf_manager_get_categories.
Summary
The BSK PDF Manager plugin for WordPress is vulnerable to unauthenticated information exposure due to the registration of AJAX handlers using 'wp_ajax_nopriv_' without adequate authorization or nonce validation. This allows unauthenticated attackers to query the plugin's internal database to retrieve lists of PDFs, category metadata, and internal file paths.
Vulnerable Code
// Inferred from Research Plan - likely in bsk-pdf-manager.php or inc/bsk-pdf-manager-ajax.php add_action( 'wp_ajax_nopriv_bsk_pdf_manager_load_pdfs_by_category', 'bsk_pdf_manager_load_pdfs_by_category_callback' ); function bsk_pdf_manager_load_pdfs_by_category_callback() { // Vulnerability: No check_ajax_referer() or current_user_can() validation $category_id = isset($_POST['category_id']) ? intval($_POST['category_id']) : 0; global $wpdb; $table_name = $wpdb->prefix . 'bsk_pdf_manager_pdfs'; $results = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $table_name WHERE category_id = %d", $category_id ) ); echo json_encode($results); wp_die(); }
Security Fix
@@ -3,6 +3,11 @@ function bsk_pdf_manager_load_pdfs_by_category_callback() { + // Verify nonce to prevent unauthorized access + if ( ! check_ajax_referer( 'bsk_pdf_manager_ajax_nonce', 'bsk_pdf_manager_list_pdf_files_nonce', false ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized access' ), 403 ); + wp_die(); + } + $category_id = isset($_POST['category_id']) ? intval($_POST['category_id']) : 0; global $wpdb;
Exploit Outline
The exploit targets the AJAX endpoint at /wp-admin/admin-ajax.php. An unauthenticated attacker first visits a public-facing page containing a plugin shortcode (like [bsk-pdf-manager-list-category]) to extract a valid nonce from the localized JavaScript object 'bsk_pdf_manager_ajax_object'. The attacker then sends a POST request to the AJAX endpoint with the action 'bsk_pdf_manager_load_pdfs_by_category', the extracted nonce, and a targeted 'category_id'. The server responds with a JSON array or HTML block containing sensitive metadata for all PDFs associated with that category, including internal file IDs and potentially restricted file links.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.