[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fThu8-eVDGaYkrHeIG5OjL7Vb2RmxwanvQ6mzu45vrFQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3649","katalogportal-pdf-sync-widget-missing-authorization-to-authenticated-subscriber-information-disclosure-via-katalogportal","Katalogportal-pdf-sync Widget \u003C= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action","The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.","katalogportal-pdf-sync",null,"\u003C=1.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-14 19:45:57","2026-04-15 08:28:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa01e7b21-f3ff-42a8-b78a-ad69973eda01?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3649 (Katalogportal-pdf-sync Widget)\n\n## 1. Vulnerability Summary\nThe **Katalogportal-pdf-sync Widget** plugin (\u003C= 1.0.0) contains an information disclosure vulnerability in its AJAX handling logic. The function `katalogportal_popup_shortcode()` is registered as an AJAX handler via the `wp_ajax_katalogportal_shortcodePrinter` hook. This function fails to implement any authorization checks (e.g., `current_user_can()`) or CSRF protection (nonces). \n\nFurthermore, the function utilizes `WP_Query` with the parameter `'post_status' => 'any'`, which causes it to retrieve and return metadata for all PDF attachments synchronized with the system, including those associated with **Private** or **Draft** posts that should not be visible to low-privileged users.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `katalogportal_shortcodePrinter`\n- **Method:** `POST` or `GET` (WordPress AJAX handlers typically support both, but `POST` is standard).\n- **Authentication:** Required (Subscriber or higher). The `wp_ajax_` prefix (without a corresponding `wp_ajax_nopriv_`) limits this to logged-in users.\n- **Payload Parameters:**\n    - `action`: `katalogportal_shortcodePrinter`\n- **Vulnerable Component:** `katalogportal_popup_shortcode()` function.\n\n## 3. Code Flow\n1. **Entry Point:** A request is sent to `admin-ajax.php` with `action=katalogportal_shortcodePrinter`.\n2. **Hook Execution:** WordPress triggers the hook `do_action( 'wp_ajax_katalogportal_shortcodePrinter' )`.\n3. **Handler Execution:** The plugin's registered callback `katalogportal_popup_shortcode()` (likely in the main plugin file or an included widget file) is invoked.\n4. **Data Retrieval:**\n    - The function retrieves the `katalogportal_userid` configuration (likely via `get_option`).\n    - It executes a `WP_Query` or `$wpdb` query for attachments (post_type `attachment`) with `post_mime_type` set to `application\u002Fpdf`.\n    - Critically, it uses `'post_status' => 'any'`, bypassing standard visibility filters.\n5. **Response:** The function echoes a list (likely HTML or JSON) containing PDF titles, filenames, and the `katalogportal_userid`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the function **lacks any nonce verification**. \n\nIf, during initial script inspection, a `check_ajax_referer` or `wp_verify_nonce` call is discovered, the following strategy will be used:\n1. **Identify Script Localization:** Search for `wp_localize_script` in the plugin source to find where the nonce is exposed.\n2. **Shortcode Placement:** The plugin likely uses a shortcode to render its UI. Identify this shortcode (e.g., `[katalogportal_pdf_sync]` or similar, inferred).\n3. **Page Creation:** \n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Sync Page\" --post_content='[shortcode_found_in_step_1]'\n   ```\n4. **Extraction:** Use `browser_navigate` to the new page and `browser_eval` to extract the nonce:\n   ```javascript\n   \u002F\u002F Example inferred variable names\n   window.katalogportal_vars?.nonce \n   ```\n*Note: Since the description explicitly states the nonce is missing, the exploitation will proceed without one.*\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Subscriber can view metadata for PDFs attached to a Private post.\n\n1. **Setup:** \n    - Log in as Administrator.\n    - Create a **Private** post.\n    - Upload a PDF file (e.g., `top_secret_data.pdf`) and attach it to that Private post.\n    - Create a **Subscriber** user.\n2. **Execution:**\n    - Authenticate as the Subscriber user to obtain a session cookie.\n    - Send a POST request to the AJAX endpoint.\n3. **Request Details:**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:** `action=katalogportal_shortcodePrinter`\n4. **Data Analysis:**\n    - Inspect the response body for the string `top_secret_data.pdf` and the `katalogportal_userid`.\n\n## 6. Test Data Setup\n- **Admin User:** `admin` \u002F `password`\n- **Subscriber User:** `victim_sub` \u002F `password`\n- **Secret Attachment:** \n    - Post Title: \"Confidential Project\"\n    - Post Status: `private`\n    - Attachment: A PDF file named `internal_audit_2024.pdf`.\n- **Plugin Config:** Set a dummy value for the user ID.\n    ```bash\n    wp option update katalogportal_userid \"KP-9999-SECRET\"\n    ```\n\n## 7. Expected Results\n- The response from `admin-ajax.php` should return an HTTP 200.\n- The response body should contain the filename `internal_audit_2024.pdf`.\n- The response body should contain the string `KP-9999-SECRET`.\n- This confirms that a Subscriber can access information about attachments they do not have permission to view.\n\n## 8. Verification Steps\n1. **Post-Exploit Verification:**\n    - Use WP-CLI to confirm the attachment exists and is indeed attached to a private post:\n      ```bash\n      wp post list --post_type=attachment --post_status=private\n      ```\n2. **Log Check:**\n    - Check the PHP error log (if enabled) to ensure no \"Permission Denied\" errors were triggered, confirming the lack of authorization checks.\n\n## 9. Alternative Approaches\nIf the `wp_ajax_` action requires specific parameters to trigger the query:\n1. **Brute Force Parameters:** If the function expects a category or ID, try passing `id=1` or `cat=all`.\n2. **Shortcode Attributes:** If the function is also the callback for a shortcode, inspect `katalogportal_popup_shortcode($atts)` to see if it accepts attributes that modify the query (e.g., `[katalogportal_shortcodePrinter status=\"any\"]`). If it handles attributes without sanitization, it may lead to further disclosure.\n3. **Response Format:** If the response is empty, check if `katalogportal_userid` must be set for the query to execute. Ensure `wp option get katalogportal_userid` returns a value before running the exploit.","The Katalogportal-pdf-sync Widget plugin fails to perform authorization or nonce checks on its 'katalogportal_shortcodePrinter' AJAX action. This allows any authenticated user, including low-privileged subscribers, to access a list of synchronized PDF attachments (even those associated with private or draft posts) and the sensitive 'katalogportal_userid' configuration value.","\u002F\u002F From the Katalogportal PDF Sync plugin\n\nadd_action('wp_ajax_katalogportal_shortcodePrinter', 'katalogportal_popup_shortcode');\n\nfunction katalogportal_popup_shortcode() {\n    \u002F\u002F Missing current_user_can() authorization check\n    \u002F\u002F Missing check_ajax_referer() or wp_verify_nonce() check\n\n    $user_id = get_option('katalogportal_userid');\n\n    $args = array(\n        'post_type'      => 'attachment',\n        'post_mime_type' => 'application\u002Fpdf',\n        'post_status'    => 'any', \u002F\u002F Causes disclosure of attachments belonging to private\u002Fdraft posts\n        'posts_per_page' => -1,\n    );\n\n    $query = new WP_Query($args);\n    \n    \u002F\u002F ... logic returning titles, filenames, and $user_id ...\n    wp_die();\n}","--- a\u002Fkatalogportal-pdf-sync.php\n+++ b\u002Fkatalogportal-pdf-sync.php\n@@ -1,5 +1,9 @@\n function katalogportal_popup_shortcode() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n+\n     $user_id = get_option('katalogportal_userid');\n     $args = array(\n         'post_type'      => 'attachment',\n         'post_mime_type' => 'application\u002Fpdf',\n-        'post_status'    => 'any',\n+        'post_status'    => 'publish',\n         'posts_per_page' => -1,\n     );","1. Authenticate as a low-privileged user (e.g., Subscriber).\n2. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n3. Include the parameter 'action=katalogportal_shortcodePrinter' in the request body.\n4. Observe the response, which contains the 'katalogportal_userid' value and a list of PDF attachment metadata, including files attached to Private or Draft posts that the Subscriber should not be able to see.","gemini-3-flash-preview","2026-04-16 15:41:10","2026-04-16 15:41:26",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkatalogportal-pdf-sync\u002Ftags"]