[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_QN6HRyMhHx3KRw3nfXeD8-xBSNWdQjo7YH9SUX1SNc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7526","pdf-embedder-authenticated-contributor-information-exposure-via-block-editor-page","PDF Embedder \u003C= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page","The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.","pdf-embedder",null,"\u003C=4.9.3","5.0.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-27 18:49:03","2026-05-28 07:43:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e0f2516-0fa7-415e-868e-6bd259bc6546?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js","assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.min.js","assets\u002Fjs\u002Fmodules\u002FpdfEmbedder.js","assets\u002Fjs\u002Fmodules\u002Fviewer-core.js","assets\u002Fjs\u002Fpdfemb.js","assets\u002Fjs\u002Fpdfemb.min.js","assets\u002Fjs\u002Fpdfjs\u002FLICENSE","assets\u002Fjs\u002Fpdfjs\u002Fpdf.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-7526\n\n## 1. Vulnerability Summary\nThe **PDF Embedder** plugin (\u003C= 4.9.3) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin enqueues configuration data and administrative nonces via the `enqueue_block_assets` hook (or similar script localization mechanisms) without restricting the data to administrative users. \n\nWhen a user with **Contributor** permissions or higher accesses the WordPress Block Editor (Gutenberg), the plugin enqueues scripts required for the PDF block. Along with these scripts, it localizes a JavaScript object containing the plugin's configuration settings. In premium versions, this may include the license key; in the Lite version, it includes viewer settings, plan details, and administrative nonces used for plugin management.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress Admin Block Editor (`\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=edit`).\n- **Authentication:** Authenticated (Contributor-level access or higher).\n- **Vulnerable Hook:** `enqueue_block_assets` (inferred from description).\n- **Data Sink:** The global JavaScript object `pdfemb_args` (referenced in `assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js`) and potentially `pdfemb_trans`.\n\n## 3. Code Flow\n1.  A Contributor-level user navigates to the \"New Post\" page in the WordPress admin.\n2.  WordPress triggers the `enqueue_block_assets` hook to load blocks and their dependencies.\n3.  The PDF Embedder plugin, to facilitate the PDF Block functionality, enqueues `assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js` (or a block-specific script) and uses `wp_localize_script` to pass settings from PHP to JavaScript.\n4.  The localized data is assigned to the global `pdfemb_args` variable.\n5.  Because the Contributor user has access to the Block Editor, the browser loads this object into the DOM.\n6.  The user can then access `window.pdfemb_args` via the browser console or by scraping the page source.\n\n## 4. Nonce Acquisition Strategy\nWhile this is an **Information Exposure** vulnerability (the nonces themselves are the sensitive information being leaked), the plan requires identifying how to read them.\n\n- **Variable Name:** `pdfemb_args` (identified from `assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js`).\n- **Keys of Interest:**\n    - `pdfemb_args.install_nonce`\n    - `pdfemb_args.activate_nonce`\n    - `pdfemb_args.deactivate_nonce`\n    - `pdfemb_args.ajax` (the AJAX URL)\n- **Method:**\n    1.  Log in as a Contributor.\n    2.  Navigate to the Post Editor.\n    3.  Execute `browser_eval(\"window.pdfemb_args\")`.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor user can extract administrative configuration and nonces.\n\n### Step-by-Step Plan:\n1.  **Authentication:** Log in to the target WordPress instance as a user with the `Contributor` role.\n2.  **Navigation:** Access the New Post page: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Extraction:**\n    -   Use `browser_eval` to extract the `pdfemb_args` object.\n    -   Specifically, target the nonces and the plan information.\n4.  **Proof of Exposure:** Print the contents of the object to demonstrate the exposure of non-public configuration data (e.g., `plan`, `usage tracking` status, and nonces).\n\n### Payload (JavaScript):\n```javascript\nJSON.stringify(window.pdfemb_args, null, 2);\n```\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Install and activate `pdf-embedder` version 4.9.3.\n2.  **User Creation:** \n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Configuration (Optional):** Set some specific settings to ensure they are reflected in the leaked data.\n    ```bash\n    wp option update pdf_embedder_settings '{\"width\":\"500\",\"height\":\"max\",\"toolbar\":\"both\"}' --format=json\n    ```\n\n## 7. Expected Results\n-   The `http_request` to `\u002Fwp-admin\u002Fpost-new.php` will return a 200 OK response.\n-   The `browser_eval` of `window.pdfemb_args` will return a JSON object containing:\n    -   `ajax`: The `admin-ajax.php` URL.\n    -   `install_nonce`: A valid WP nonce for `pdfemb_partners_install`.\n    -   `activate_nonce`: A valid WP nonce for `pdfemb_partners_activate`.\n    -   `deactivate_nonce`: A valid WP nonce for `pdfemb_partners_deactivate`.\n    -   Configuration values like `width`, `height`, and `toolbar` (as mentioned in the CVE description).\n\n## 8. Verification Steps\nAfter obtaining the data via the browser:\n1.  **Verify Nonce Context:** Use `wp-cli` to check if the extracted nonces are indeed present in the database or session for that user (though nonces are time\u002FUID based).\n2.  **Verify Access Level:** Confirm that a Contributor user *normally* should not have access to partner installation\u002Factivation nonces, which are administrative functions usually found on the plugin's settings page (restricted to `manage_options`).\n\n## 9. Alternative Approaches\nIf `pdfemb_args` is not enqueued on the `post-new.php` page by default:\n1.  **Check existing posts:** Navigate to an existing post that contains a `[pdf-embedder]` shortcode.\n2.  **Check Settings Page (if accessible):** Verify if the Contributor can accidentally access `\u002Fwp-admin\u002Foptions-general.php?page=pdf-embedder-settings` (unlikely, but worth a check if the capability check is missing on the menu registration).\n3.  **Search Page Source:** If `browser_eval` fails, use `http_request` to fetch the HTML of `post-new.php` and search for the string `var pdfemb_args =`.","The PDF Embedder plugin exposes sensitive configuration data and administrative nonces to authenticated users with Contributor-level access or higher. This occurs because the plugin enqueues a JavaScript object containing configuration settings and security tokens on the WordPress Block Editor page without restricting the data to administrative users.","\u002F\u002F assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js (Usage of the globally localized pdfemb_args object containing nonces)\n\n\u002F\u002F line 59\nvar install_opts = {\n    url: pdfemb_args.ajax,\n\u002F\u002F ...\n    data: {\n        action: 'pdfemb_partners_install',\n        nonce: pdfemb_args.install_nonce,\n        basename: basename,\n        download_url: url,\n    },\n\n---\n\n\u002F\u002F assets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js (Lack of nonce protection for certain actions in version 4.9.3)\n\n\u002F\u002F line 13\n$.post( ajaxurl, {\n    action: 'pdfemb_admin_settings_getstarted_dismiss',\n} );\n\n\u002F\u002F line 23\n$.post( ajaxurl, {\n    action: 'pdfemb_admin_settings_getstarted_open',\n} );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpdf-embedder\u002F4.9.3\u002Fassets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpdf-embedder\u002F5.0.0\u002Fassets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpdf-embedder\u002F4.9.3\u002Fassets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js\t2025-12-30 11:09:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpdf-embedder\u002F5.0.0\u002Fassets\u002Fjs\u002Fadmin\u002Fpdfemb-admin.js\t2026-05-14 11:32:12.000000000 +0000\n@@ -15,6 +15,7 @@\n \n \t\t\t\t$.post( ajaxurl, {\n \t\t\t\t\taction: 'pdfemb_admin_settings_getstarted_dismiss',\n+\t\t\t\t\tnonce: pdfemb_args.getstarted_nonce,\n \t\t\t\t} );\n \n \t\t\t\treturn;\n@@ -22,6 +23,7 @@\n \n \t\t\t$.post( ajaxurl, {\n \t\t\t\t action: 'pdfemb_admin_settings_getstarted_open',\n+\t\t\t\t nonce: pdfemb_args.getstarted_nonce,\n \t\t\t } );\n \n \t\t\t $( '#pdfemb-getstarted' ).slideDown( 'fast', function() {","The exploit is a passive Information Exposure targeted at the WordPress Block Editor. An attacker with Contributor-level permissions or higher logs into the WordPress administrative dashboard and navigates to the 'New Post' or 'Edit Post' page. Because the plugin enqueues its configuration for all users who can access the editor, the attacker can open the browser's developer console and inspect the global 'window.pdfemb_args' object. This object contains viewer settings, usage tracking status, the plugin plan, and administrative nonces (such as install_nonce, activate_nonce, and deactivate_nonce). If the premium version is installed, the license key may also be exposed within this localized data.","gemini-3-flash-preview","2026-06-04 16:43:23","2026-06-04 16:43:49",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-embedder\u002Ftags\u002F4.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-embedder.4.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-embedder\u002Ftags\u002F5.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-embedder.5.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-embedder\u002Ftags"]