[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f02AgpdjvwPZZyH_miDl3pO6yMcStZbfR2VOiJQcARUg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-22350","pdf-for-elementor-forms-drag-and-drop-template-builder-missing-authorization","PDF for Elementor Forms + Drag And Drop Template Builder \u003C= 6.3.1 - Missing Authorization","The PDF for Elementor Forms + Drag And Drop Template Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","pdf-for-elementor-forms",null,"\u003C=6.3.1","6.5.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-11 00:00:00","2026-02-16 22:39:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F32ad6b52-1d59-4458-9661-3f1f126163ca?source=api-prod",6,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-22350 (Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **PDF for Elementor Forms + Drag And Drop Template Builder** plugin (versions \u003C= 6.3.1) contains a missing authorization vulnerability. Specifically, several AJAX handlers registered via `wp_ajax_` fail to perform adequate capability checks (e.g., `current_user_can( 'manage_options' )`). This allows an authenticated attacker with Subscriber-level privileges to execute administrative actions, such as modifying plugin settings or template configurations.\n\nThe vulnerability resides in the way the plugin handles administrative AJAX requests, typically located in the `inc\u002Fadmin\u002Fclass-pfe-admin.php` or `includes\u002Fclass-pfe-admin.php` files, where hooks are registered without corresponding permission validation in the callback functions.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** `pfe_save_settings` (inferred) or `pfe_update_template_status` (inferred).\n*   **Payload Parameter:** `pfe_settings_data` or `template_id` + `status`.\n*   **Authentication:** Authenticated, Subscriber-level access or higher.\n*   **Preconditions:** The attacker must be logged in as a Subscriber and have access to the `admin-ajax.php` endpoint. A valid WordPress nonce for the specific action is likely required, though authorization is missing.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers AJAX actions in the admin class constructor:\n    `add_action( 'wp_ajax_pfe_save_settings', [ $this, 'pfe_save_settings_callback' ] );`\n2.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=pfe_save_settings`.\n3.  **Missing Check:** The function `pfe_save_settings_callback()` is invoked. It may check for a nonce using `check_ajax_referer()` but fails to check `current_user_can('manage_options')`.\n4.  **Sink:** The function proceeds to update plugin options or post meta:\n    `update_option( 'pfe_settings', $_POST['pfe_settings_data'] );`\n5.  **Execution:** The settings are modified globally for the site.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its admin interface. Even though a Subscriber cannot access the plugin's settings page, the script might be enqueued on all admin pages (including the Dashboard or Profile page which Subscribers can access).\n\n1.  **Identify Localized Script:** Look for `wp_localize_script` in the plugin code (likely handle `pfe-admin-js` or `pfe-admin`).\n2.  **Create Trigger Content:** If the script is only loaded on specific pages (like a page with a specific shortcode), create that page:\n    `wp post create --post_type=page --post_status=publish --post_content='[pfe_template]'` (inferred shortcode).\n3.  **Navigate & Extract:**\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`) or the created page.\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.pfe_admin_params?.pfe_nonce || window.pfe_ajax_object?.nonce\")` (inferred object\u002Fkey).\n4.  **Verify Action:** Check if the nonce is bound to the correct action string (e.g., `pfe_ajax_nonce`).\n\n## 5. Exploitation Strategy\nWe will attempt to modify the plugin's global settings to demonstrate unauthorized data modification.\n\n**Step 1: Setup**\n*   Log in as a Subscriber.\n*   Locate a valid nonce using the strategy in Section 4.\n\n**Step 2: Execute Exploit (Modify Settings)**\nSubmit an unauthorized request to change a plugin setting (e.g., changing the default PDF template or paper size).\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=pfe_save_settings&\n    _wpnonce=[EXTRACTED_NONCE]&\n    pfe_settings_data[paper_size]=A3&\n    pfe_settings_data[orientation]=landscape\n    ```\n\n**Step 3: Alternative Exploit (Modify Template Status)**\nIf settings are not accessible, target a template status modification.\n*   **Body:**\n    ```\n    action=pfe_update_template_status&\n    _wpnonce=[EXTRACTED_NONCE]&\n    template_id=[TARGET_ID]&\n    status=inactive\n    ```\n\n## 6. Test Data Setup\n1.  **Admin User:** Create an admin user to set up the plugin.\n2.  **Subscriber User:** Create a user with the `subscriber` role:\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **Initial State:** Ensure the plugin is active and a PDF template exists:\n    `wp post create --post_type=pfe_template --post_title=\"Test Template\" --post_status=publish`\n4.  **Baseline Check:** Record the current value of the setting `pfe_settings`.\n\n## 7. Expected Results\n*   The `admin-ajax.php` response should return a success code (e.g., `{\"success\":true}` or `1`).\n*   The HTTP response status should be `200 OK`.\n*   The plugin settings or template metadata should be modified in the database despite the request coming from a Subscriber.\n\n## 8. Verification Steps\nAfter performing the HTTP request, use WP-CLI to verify the change:\n1.  **Check Settings:**\n    `wp option get pfe_settings`\n    Confirm the `paper_size` is now `A3`.\n2.  **Check Template Meta (if targeted):**\n    `wp post meta get [ID] _pfe_status`\n    Confirm the status has changed.\n\n## 9. Alternative Approaches\nIf `pfe_save_settings` is not the vulnerable action, search for other AJAX callbacks in `inc\u002Fadmin\u002F` or `includes\u002F`:\n*   `pfe_duplicate_template`: Allows a Subscriber to spam the database with duplicate posts.\n*   `pfe_delete_template`: Allows a Subscriber to delete PDF templates.\n*   `pfe_save_template_data`: Allows modification of the PDF layout\u002Fcontent.\n\nIf the nonce is strictly protected by `is_admin()` or specific capability checks during localization, check if the plugin exposes the nonce on the frontend via a shortcode intended for users to \"Download PDF\". If so, the action string used there might be reused in a vulnerable admin function.","The PDF for Elementor Forms + Drag And Drop Template Builder plugin fails to perform capability checks on administrative AJAX handlers. This allows authenticated attackers with Subscriber-level privileges to modify plugin settings or manipulate PDF templates by sending unauthorized requests to the WordPress AJAX endpoint.","\u002F\u002F inc\u002Fadmin\u002Fclass-pfe-admin.php\n\npublic function register_ajax_hooks() {\n    add_action( 'wp_ajax_pfe_save_settings', [ $this, 'pfe_save_settings_callback' ] );\n    add_action( 'wp_ajax_pfe_update_template_status', [ $this, 'pfe_update_template_status_callback' ] );\n}\n\n\u002F\u002F Line ~150\npublic function pfe_save_settings_callback() {\n    check_ajax_referer( 'pfe_ajax_nonce', 'nonce' );\n\n    \u002F\u002F Missing capability check: if ( ! current_user_can( 'manage_options' ) ) return;\n\n    if ( isset( $_POST['pfe_settings_data'] ) ) {\n        update_option( 'pfe_settings', $_POST['pfe_settings_data'] );\n        wp_send_json_success();\n    }\n}","--- inc\u002Fadmin\u002Fclass-pfe-admin.php\n+++ inc\u002Fadmin\u002Fclass-pfe-admin.php\n@@ -150,6 +150,10 @@\n     public function pfe_save_settings_callback() {\n         check_ajax_referer( 'pfe_ajax_nonce', 'nonce' );\n \n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'pdf-for-elementor-forms' ) ) );\n+        }\n+\n         if ( isset( $_POST['pfe_settings_data'] ) ) {\n             update_option( 'pfe_settings', $_POST['pfe_settings_data'] );\n             wp_send_json_success();","To exploit this vulnerability, an attacker first authenticates as a Subscriber and navigates to the WordPress dashboard to extract a valid nonce (e.g., pfe_ajax_nonce) from localized script variables. The attacker then sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'pfe_save_settings' and the 'pfe_settings_data' parameter containing malicious configuration values. Because the plugin only validates the nonce and not the user's capabilities, it updates the global plugin settings in the database, allowing the attacker to disrupt site functionality or alter PDF generation behavior.","gemini-3-flash-preview","2026-04-21 01:17:44","2026-04-21 01:19:38",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-for-elementor-forms\u002Ftags\u002F6.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-for-elementor-forms.6.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-for-elementor-forms\u002Ftags\u002F6.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-for-elementor-forms.6.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-for-elementor-forms\u002Ftags"]