CVE-2026-7526

PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.0.0
Patched in
1d
Time to patch

Description

The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.9.3
PublishedMay 27, 2026
Last updatedMay 28, 2026
Affected pluginpdf-embedder

What Changed in the Fix

Changes introduced in v5.0.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7526 ## 1. Vulnerability Summary The **PDF Embedder** plugin (<= 4.9.3) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin enqueues configuration data and administrative nonces via the `enqueue_block_assets` hook (…

Show full research plan

Exploitation Research Plan: CVE-2026-7526

1. Vulnerability Summary

The PDF Embedder plugin (<= 4.9.3) is vulnerable to Sensitive Information Exposure. The vulnerability exists because the plugin enqueues configuration data and administrative nonces via the enqueue_block_assets hook (or similar script localization mechanisms) without restricting the data to administrative users.

When a user with Contributor permissions or higher accesses the WordPress Block Editor (Gutenberg), the plugin enqueues scripts required for the PDF block. Along with these scripts, it localizes a JavaScript object containing the plugin's configuration settings. In premium versions, this may include the license key; in the Lite version, it includes viewer settings, plan details, and administrative nonces used for plugin management.

2. Attack Vector Analysis

  • Endpoint: WordPress Admin Block Editor (/wp-admin/post-new.php or /wp-admin/post.php?post=[ID]&action=edit).
  • Authentication: Authenticated (Contributor-level access or higher).
  • Vulnerable Hook: enqueue_block_assets (inferred from description).
  • Data Sink: The global JavaScript object pdfemb_args (referenced in assets/js/admin/pdfemb-admin.js) and potentially pdfemb_trans.

3. Code Flow

  1. A Contributor-level user navigates to the "New Post" page in the WordPress admin.
  2. WordPress triggers the enqueue_block_assets hook to load blocks and their dependencies.
  3. The PDF Embedder plugin, to facilitate the PDF Block functionality, enqueues assets/js/admin/pdfemb-admin.js (or a block-specific script) and uses wp_localize_script to pass settings from PHP to JavaScript.
  4. The localized data is assigned to the global pdfemb_args variable.
  5. Because the Contributor user has access to the Block Editor, the browser loads this object into the DOM.
  6. The user can then access window.pdfemb_args via the browser console or by scraping the page source.

4. Nonce Acquisition Strategy

While this is an Information Exposure vulnerability (the nonces themselves are the sensitive information being leaked), the plan requires identifying how to read them.

  • Variable Name: pdfemb_args (identified from assets/js/admin/pdfemb-admin.js).
  • Keys of Interest:
    • pdfemb_args.install_nonce
    • pdfemb_args.activate_nonce
    • pdfemb_args.deactivate_nonce
    • pdfemb_args.ajax (the AJAX URL)
  • Method:
    1. Log in as a Contributor.
    2. Navigate to the Post Editor.
    3. Execute browser_eval("window.pdfemb_args").

5. Exploitation Strategy

The goal is to demonstrate that a Contributor user can extract administrative configuration and nonces.

Step-by-Step Plan:

  1. Authentication: Log in to the target WordPress instance as a user with the Contributor role.
  2. Navigation: Access the New Post page: http://localhost:8080/wp-admin/post-new.php.
  3. Extraction:
    • Use browser_eval to extract the pdfemb_args object.
    • Specifically, target the nonces and the plan information.
  4. Proof of Exposure: Print the contents of the object to demonstrate the exposure of non-public configuration data (e.g., plan, usage tracking status, and nonces).

Payload (JavaScript):

JSON.stringify(window.pdfemb_args, null, 2);

6. Test Data Setup

  1. Plugin Installation: Install and activate pdf-embedder version 4.9.3.
  2. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  3. Configuration (Optional): Set some specific settings to ensure they are reflected in the leaked data.
    wp option update pdf_embedder_settings '{"width":"500","height":"max","toolbar":"both"}' --format=json
    

7. Expected Results

  • The http_request to /wp-admin/post-new.php will return a 200 OK response.
  • The browser_eval of window.pdfemb_args will return a JSON object containing:
    • ajax: The admin-ajax.php URL.
    • install_nonce: A valid WP nonce for pdfemb_partners_install.
    • activate_nonce: A valid WP nonce for pdfemb_partners_activate.
    • deactivate_nonce: A valid WP nonce for pdfemb_partners_deactivate.
    • Configuration values like width, height, and toolbar (as mentioned in the CVE description).

8. Verification Steps

After obtaining the data via the browser:

  1. Verify Nonce Context: Use wp-cli to check if the extracted nonces are indeed present in the database or session for that user (though nonces are time/UID based).
  2. Verify Access Level: Confirm that a Contributor user normally should not have access to partner installation/activation nonces, which are administrative functions usually found on the plugin's settings page (restricted to manage_options).

9. Alternative Approaches

If pdfemb_args is not enqueued on the post-new.php page by default:

  1. Check existing posts: Navigate to an existing post that contains a [pdf-embedder] shortcode.
  2. Check Settings Page (if accessible): Verify if the Contributor can accidentally access /wp-admin/options-general.php?page=pdf-embedder-settings (unlikely, but worth a check if the capability check is missing on the menu registration).
  3. Search Page Source: If browser_eval fails, use http_request to fetch the HTML of post-new.php and search for the string var pdfemb_args =.
Research Findings
Static analysis — not yet PoC-verified

Summary

The PDF Embedder plugin exposes sensitive configuration data and administrative nonces to authenticated users with Contributor-level access or higher. This occurs because the plugin enqueues a JavaScript object containing configuration settings and security tokens on the WordPress Block Editor page without restricting the data to administrative users.

Vulnerable Code

// assets/js/admin/pdfemb-admin.js (Usage of the globally localized pdfemb_args object containing nonces)

// line 59
var install_opts = {
    url: pdfemb_args.ajax,
// ...
    data: {
        action: 'pdfemb_partners_install',
        nonce: pdfemb_args.install_nonce,
        basename: basename,
        download_url: url,
    },

---

// assets/js/admin/pdfemb-admin.js (Lack of nonce protection for certain actions in version 4.9.3)

// line 13
$.post( ajaxurl, {
    action: 'pdfemb_admin_settings_getstarted_dismiss',
} );

// line 23
$.post( ajaxurl, {
    action: 'pdfemb_admin_settings_getstarted_open',
} );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/pdf-embedder/4.9.3/assets/js/admin/pdfemb-admin.js /home/deploy/wp-safety.org/data/plugin-versions/pdf-embedder/5.0.0/assets/js/admin/pdfemb-admin.js
--- /home/deploy/wp-safety.org/data/plugin-versions/pdf-embedder/4.9.3/assets/js/admin/pdfemb-admin.js	2025-12-30 11:09:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/pdf-embedder/5.0.0/assets/js/admin/pdfemb-admin.js	2026-05-14 11:32:12.000000000 +0000
@@ -15,6 +15,7 @@
 
 				$.post( ajaxurl, {
 					action: 'pdfemb_admin_settings_getstarted_dismiss',
+					nonce: pdfemb_args.getstarted_nonce,
 				} );
 
 				return;
@@ -22,6 +23,7 @@
 
 			$.post( ajaxurl, {
 				 action: 'pdfemb_admin_settings_getstarted_open',
+				 nonce: pdfemb_args.getstarted_nonce,
 			 } );
 
 			 $( '#pdfemb-getstarted' ).slideDown( 'fast', function() {

Exploit Outline

The exploit is a passive Information Exposure targeted at the WordPress Block Editor. An attacker with Contributor-level permissions or higher logs into the WordPress administrative dashboard and navigates to the 'New Post' or 'Edit Post' page. Because the plugin enqueues its configuration for all users who can access the editor, the attacker can open the browser's developer console and inspect the global 'window.pdfemb_args' object. This object contains viewer settings, usage tracking status, the plugin plan, and administrative nonces (such as install_nonce, activate_nonce, and deactivate_nonce). If the premium version is installed, the license key may also be exposed within this localized data.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.