PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
Description
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v5.0.0
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-7526 ## 1. Vulnerability Summary The **PDF Embedder** plugin (<= 4.9.3) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin enqueues configuration data and administrative nonces via the `enqueue_block_assets` hook (…
Show full research plan
Exploitation Research Plan: CVE-2026-7526
1. Vulnerability Summary
The PDF Embedder plugin (<= 4.9.3) is vulnerable to Sensitive Information Exposure. The vulnerability exists because the plugin enqueues configuration data and administrative nonces via the enqueue_block_assets hook (or similar script localization mechanisms) without restricting the data to administrative users.
When a user with Contributor permissions or higher accesses the WordPress Block Editor (Gutenberg), the plugin enqueues scripts required for the PDF block. Along with these scripts, it localizes a JavaScript object containing the plugin's configuration settings. In premium versions, this may include the license key; in the Lite version, it includes viewer settings, plan details, and administrative nonces used for plugin management.
2. Attack Vector Analysis
- Endpoint: WordPress Admin Block Editor (
/wp-admin/post-new.phpor/wp-admin/post.php?post=[ID]&action=edit). - Authentication: Authenticated (Contributor-level access or higher).
- Vulnerable Hook:
enqueue_block_assets(inferred from description). - Data Sink: The global JavaScript object
pdfemb_args(referenced inassets/js/admin/pdfemb-admin.js) and potentiallypdfemb_trans.
3. Code Flow
- A Contributor-level user navigates to the "New Post" page in the WordPress admin.
- WordPress triggers the
enqueue_block_assetshook to load blocks and their dependencies. - The PDF Embedder plugin, to facilitate the PDF Block functionality, enqueues
assets/js/admin/pdfemb-admin.js(or a block-specific script) and useswp_localize_scriptto pass settings from PHP to JavaScript. - The localized data is assigned to the global
pdfemb_argsvariable. - Because the Contributor user has access to the Block Editor, the browser loads this object into the DOM.
- The user can then access
window.pdfemb_argsvia the browser console or by scraping the page source.
4. Nonce Acquisition Strategy
While this is an Information Exposure vulnerability (the nonces themselves are the sensitive information being leaked), the plan requires identifying how to read them.
- Variable Name:
pdfemb_args(identified fromassets/js/admin/pdfemb-admin.js). - Keys of Interest:
pdfemb_args.install_noncepdfemb_args.activate_noncepdfemb_args.deactivate_noncepdfemb_args.ajax(the AJAX URL)
- Method:
- Log in as a Contributor.
- Navigate to the Post Editor.
- Execute
browser_eval("window.pdfemb_args").
5. Exploitation Strategy
The goal is to demonstrate that a Contributor user can extract administrative configuration and nonces.
Step-by-Step Plan:
- Authentication: Log in to the target WordPress instance as a user with the
Contributorrole. - Navigation: Access the New Post page:
http://localhost:8080/wp-admin/post-new.php. - Extraction:
- Use
browser_evalto extract thepdfemb_argsobject. - Specifically, target the nonces and the plan information.
- Use
- Proof of Exposure: Print the contents of the object to demonstrate the exposure of non-public configuration data (e.g.,
plan,usage trackingstatus, and nonces).
Payload (JavaScript):
JSON.stringify(window.pdfemb_args, null, 2);
6. Test Data Setup
- Plugin Installation: Install and activate
pdf-embedderversion 4.9.3. - User Creation:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Configuration (Optional): Set some specific settings to ensure they are reflected in the leaked data.
wp option update pdf_embedder_settings '{"width":"500","height":"max","toolbar":"both"}' --format=json
7. Expected Results
- The
http_requestto/wp-admin/post-new.phpwill return a 200 OK response. - The
browser_evalofwindow.pdfemb_argswill return a JSON object containing:ajax: Theadmin-ajax.phpURL.install_nonce: A valid WP nonce forpdfemb_partners_install.activate_nonce: A valid WP nonce forpdfemb_partners_activate.deactivate_nonce: A valid WP nonce forpdfemb_partners_deactivate.- Configuration values like
width,height, andtoolbar(as mentioned in the CVE description).
8. Verification Steps
After obtaining the data via the browser:
- Verify Nonce Context: Use
wp-clito check if the extracted nonces are indeed present in the database or session for that user (though nonces are time/UID based). - Verify Access Level: Confirm that a Contributor user normally should not have access to partner installation/activation nonces, which are administrative functions usually found on the plugin's settings page (restricted to
manage_options).
9. Alternative Approaches
If pdfemb_args is not enqueued on the post-new.php page by default:
- Check existing posts: Navigate to an existing post that contains a
[pdf-embedder]shortcode. - Check Settings Page (if accessible): Verify if the Contributor can accidentally access
/wp-admin/options-general.php?page=pdf-embedder-settings(unlikely, but worth a check if the capability check is missing on the menu registration). - Search Page Source: If
browser_evalfails, usehttp_requestto fetch the HTML ofpost-new.phpand search for the stringvar pdfemb_args =.
Summary
The PDF Embedder plugin exposes sensitive configuration data and administrative nonces to authenticated users with Contributor-level access or higher. This occurs because the plugin enqueues a JavaScript object containing configuration settings and security tokens on the WordPress Block Editor page without restricting the data to administrative users.
Vulnerable Code
// assets/js/admin/pdfemb-admin.js (Usage of the globally localized pdfemb_args object containing nonces) // line 59 var install_opts = { url: pdfemb_args.ajax, // ... data: { action: 'pdfemb_partners_install', nonce: pdfemb_args.install_nonce, basename: basename, download_url: url, }, --- // assets/js/admin/pdfemb-admin.js (Lack of nonce protection for certain actions in version 4.9.3) // line 13 $.post( ajaxurl, { action: 'pdfemb_admin_settings_getstarted_dismiss', } ); // line 23 $.post( ajaxurl, { action: 'pdfemb_admin_settings_getstarted_open', } );
Security Fix
@@ -15,6 +15,7 @@ $.post( ajaxurl, { action: 'pdfemb_admin_settings_getstarted_dismiss', + nonce: pdfemb_args.getstarted_nonce, } ); return; @@ -22,6 +23,7 @@ $.post( ajaxurl, { action: 'pdfemb_admin_settings_getstarted_open', + nonce: pdfemb_args.getstarted_nonce, } ); $( '#pdfemb-getstarted' ).slideDown( 'fast', function() {
Exploit Outline
The exploit is a passive Information Exposure targeted at the WordPress Block Editor. An attacker with Contributor-level permissions or higher logs into the WordPress administrative dashboard and navigates to the 'New Post' or 'Edit Post' page. Because the plugin enqueues its configuration for all users who can access the editor, the attacker can open the browser's developer console and inspect the global 'window.pdfemb_args' object. This object contains viewer settings, usage tracking status, the plugin plan, and administrative nonces (such as install_nonce, activate_nonce, and deactivate_nonce). If the premium version is installed, the license key may also be exposed within this localized data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.