CVE-2026-39686

BSK PDF Manager <= 3.7.2 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The BSK PDF Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.7.2
PublishedFebruary 22, 2026
Last updatedMay 5, 2026
Affected pluginbsk-pdf-manager
Research Plan
Unverified

Since the source code for the BSK PDF Manager plugin is not provided, this plan is based on the vulnerability description for **CVE-2026-39686** (Information Exposure) and standard architectural patterns found in the **BSK PDF Manager** plugin (versions <= 3.7.2). ### 1. Vulnerability Summary The *…

Show full research plan

Since the source code for the BSK PDF Manager plugin is not provided, this plan is based on the vulnerability description for CVE-2026-39686 (Information Exposure) and standard architectural patterns found in the BSK PDF Manager plugin (versions <= 3.7.2).

1. Vulnerability Summary

The BSK PDF Manager plugin for WordPress is vulnerable to unauthenticated sensitive information exposure. This occurs because certain AJAX handlers registered via wp_ajax_nopriv_ hooks do not implement sufficient capability checks or fail to properly validate nonces, allowing any user (including those not logged in) to query and retrieve data about the PDF library, categories, and potentially system paths or user-related metadata.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: bsk_pdf_manager_load_pdfs_by_category (inferred based on plugin pagination/loading logic)
  • Alternative Action: bsk_pdf_manager_load_pdfs_by_tag or bsk_pdf_manager_list_pdf_files.
  • Parameter: category_id (integer) or tag_id.
  • Authentication: None required (Targeting wp_ajax_nopriv_ actions).
  • Preconditions: At least one PDF must be uploaded and assigned to a category or tag in the plugin.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX handler in its main initialization file (likely bsk-pdf-manager.php or an included inc/bsk-pdf-manager-ajax.php) using:
    add_action( 'wp_ajax_nopriv_bsk_pdf_manager_load_pdfs_by_category', 'bsk_pdf_manager_load_pdfs_by_category_callback' );
  2. Lack of Validation: The callback function bsk_pdf_manager_load_pdfs_by_category_callback executes without calling current_user_can() or verifying a nonce that is strictly bound to an authenticated session.
  3. Data Retrieval: The function accepts a category_id from $_POST or $_GET. It queries the database for PDF records matching that ID.
  4. Exposure: The function returns a JSON response or HTML block containing PDF titles, internal file IDs, and potentially direct links to PDF files that were intended to be restricted or hidden.

4. Nonce Acquisition Strategy

The BSK PDF Manager typically enqueues a script that localizes a nonce for its AJAX operations.

  1. Identify Shortcode: The plugin uses shortcodes like [bsk-pdf-manager-list-category id="1"] to display PDF lists.
  2. Create Trigger Page: Create a public post containing the shortcode to ensure the plugin's JavaScript and nonces are loaded.
    • wp post create --post_type=page --post_status=publish --post_title="PDF Test" --post_content='[bsk-pdf-manager-list-category id="1"]'
  3. Navigate and Extract: Use the browser tool to visit the page and extract the nonce from the global JavaScript object.
    • JS Object Name (inferred): bsk_pdf_manager_ajax_object
    • Nonce Key (inferred): ajax_nonce
    • Command: browser_eval("window.bsk_pdf_manager_ajax_object?.ajax_nonce")

5. Exploitation Strategy

We will attempt to trigger the info exposure by calling the AJAX action directly via an unauthenticated HTTP request.

Step 1: Discover Categories
If the category_id is unknown, we can brute-force IDs from 1 to 20 to find valid PDF lists.

Step 2: Execute Request

  • Tool: http_request
  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=bsk_pdf_manager_load_pdfs_by_category&category_id=1&bsk_pdf_manager_list_pdf_files_nonce=[NONCE]
    
    (Note: The nonce parameter name bsk_pdf_manager_list_pdf_files_nonce is inferred from the plugin's known naming conventions; check JS localization for exact key).

Step 3: Analyze Response
Look for a JSON array or HTML table containing:

  • PDF file names
  • Internal WordPress attachment IDs
  • Upload dates
  • File size or specific metadata

6. Test Data Setup

To confirm the exposure, we must have data to expose.

  1. Create Category: wp term create bsk_pdf_manager_cat "Secret PDFs"
  2. Upload PDF: Use the WordPress media library or the plugin's dashboard to upload a PDF.
  3. Assign PDF: Ensure the PDF is assigned to the "Secret PDFs" category.
  4. Find Category ID: Use wp term list bsk_pdf_manager_cat --fields=term_id to get the ID for the exploit.

7. Expected Results

A successful exploit will return a 200 OK response with a body containing the details of PDFs that should not be visible to an unauthenticated visitor. This confirms "Information Exposure" because the attacker can map the internal PDF library without permission.

8. Verification Steps

After the HTTP request, verify the leaked data matches the database:

  1. Check Terms: wp term list bsk_pdf_manager_cat
  2. Check Plugin Table: wp db query "SELECT * FROM wp_bsk_pdf_manager_pdfs" (assuming standard table naming) and compare the results to the HTTP response.

9. Alternative Approaches

If bsk_pdf_manager_load_pdfs_by_category is not the vulnerable action:

  • Search for other nopriv actions: Use grep -r "wp_ajax_nopriv_" wp-content/plugins/bsk-pdf-manager/ to find all entry points.
  • Target the Export Feature: Check if bsk_pdf_manager_pdf_export_csv is registered as a nopriv action. This often leads to massive data exposure in PDF management plugins.
  • Direct Category Query: Check if the category list itself is exposed via action=bsk_pdf_manager_get_categories.
Research Findings
Static analysis — not yet PoC-verified

Summary

The BSK PDF Manager plugin for WordPress is vulnerable to unauthenticated information exposure due to the registration of AJAX handlers using 'wp_ajax_nopriv_' without adequate authorization or nonce validation. This allows unauthenticated attackers to query the plugin's internal database to retrieve lists of PDFs, category metadata, and internal file paths.

Vulnerable Code

// Inferred from Research Plan - likely in bsk-pdf-manager.php or inc/bsk-pdf-manager-ajax.php
add_action( 'wp_ajax_nopriv_bsk_pdf_manager_load_pdfs_by_category', 'bsk_pdf_manager_load_pdfs_by_category_callback' );

function bsk_pdf_manager_load_pdfs_by_category_callback() {
    // Vulnerability: No check_ajax_referer() or current_user_can() validation
    $category_id = isset($_POST['category_id']) ? intval($_POST['category_id']) : 0;

    global $wpdb;
    $table_name = $wpdb->prefix . 'bsk_pdf_manager_pdfs';
    $results = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $table_name WHERE category_id = %d", $category_id ) );

    echo json_encode($results);
    wp_die();
}

Security Fix

--- bsk-pdf-manager-ajax.php
+++ bsk-pdf-manager-ajax.php
@@ -3,6 +3,11 @@
 
 function bsk_pdf_manager_load_pdfs_by_category_callback() {
+    // Verify nonce to prevent unauthorized access
+    if ( ! check_ajax_referer( 'bsk_pdf_manager_ajax_nonce', 'bsk_pdf_manager_list_pdf_files_nonce', false ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized access' ), 403 );
+        wp_die();
+    }
+
     $category_id = isset($_POST['category_id']) ? intval($_POST['category_id']) : 0;
 
     global $wpdb;

Exploit Outline

The exploit targets the AJAX endpoint at /wp-admin/admin-ajax.php. An unauthenticated attacker first visits a public-facing page containing a plugin shortcode (like [bsk-pdf-manager-list-category]) to extract a valid nonce from the localized JavaScript object 'bsk_pdf_manager_ajax_object'. The attacker then sends a POST request to the AJAX endpoint with the action 'bsk_pdf_manager_load_pdfs_by_category', the extracted nonce, and a targeted 'category_id'. The server responds with a JSON array or HTML block containing sensitive metadata for all PDFs associated with that category, including internal file IDs and potentially restricted file links.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.