CVE-2026-27416

PDF Poster – Display PDF Files with Custom Viewer <= 2.4.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.5.0
Patched in
5d
Time to patch

Description

The PDF Poster – Display PDF Files with Custom Viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.1
PublishedMay 7, 2026
Last updatedMay 11, 2026
Affected pluginpdf-poster

What Changed in the Fix

Changes introduced in v2.5.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This detailed research plan outlines the steps required to exploit **CVE-2026-27416** (Missing Authorization) in the **PDF Poster** WordPress plugin (versions <= 2.4.1). ## 1. Vulnerability Summary The **PDF Poster** plugin fails to implement proper authorization (capability) checks on several func…

Show full research plan

This detailed research plan outlines the steps required to exploit CVE-2026-27416 (Missing Authorization) in the PDF Poster WordPress plugin (versions <= 2.4.1).

1. Vulnerability Summary

The PDF Poster plugin fails to implement proper authorization (capability) checks on several functions, most notably those registered via the admin_init hook or AJAX actions. This allows unauthenticated users to perform administrative actions, such as updating plugin settings, by sending crafted requests to admin-ajax.php or other admin entry points.

The vulnerability exists because the developer assumes that logic tied to admin_init or wp_ajax is only accessible to authorized users. However, admin_init is triggered for any request to an admin-related path (including admin-ajax.php), even by unauthenticated users.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (or any admin page that triggers admin_init).
  • Target Action: pdfp_save_settings (Inferred based on plugin structure and typical "Missing Authorization" patterns in this plugin).
  • Authentication: None required (PR:N).
  • Preconditions: The plugin must be active.
  • Impact: Unauthorized modification of plugin settings, potentially including Google Drive API keys, viewer configurations, or notice states (I:L).

3. Code Flow

  1. Request Initiation: An unauthenticated attacker sends a POST request to wp-admin/admin-ajax.php.
  2. Hook Trigger: WordPress initializes and fires the admin_init hook.
  3. Vulnerable Handler: The plugin's settings handler (e.g., pdfp_save_settings()) is attached to admin_init (or registered as a wp_ajax_nopriv action).
  4. Missing Check: The handler executes without calling current_user_can( 'manage_options' ) or verifying a cryptographic nonce (check_ajax_referer).
  5. Execution: The handler processes the $_POST['pdfp_settings'] (inferred) array and updates the WordPress database using update_option().

4. Nonce Acquisition Strategy

This vulnerability typically involves a complete lack of nonce verification or the use of a nonce that is leaked to unauthenticated users.

If a nonce is required:

  1. Identify Script Localization: The plugin enqueues scripts using a handle like pdfp-public or pdfp-admin.
  2. Setup: Create a post containing the PDF Poster block.
    • wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='<!-- wp:pdfp/pdfposter {"file":"https://example.com/test.pdf"} /-->'.
  3. Extraction:
    • Navigate to the newly created page.
    • Use browser_eval to extract the nonce from the localized JS object.
    • Target Object: window.pdfp_admin or window.pdfp_public.
    • JS Command: browser_eval("window.pdfp_admin?.nonce || window.pdfp_public?.nonce").

If no nonce is checked:
The exploit will proceed directly with the POST request omitting the nonce parameter.

5. Exploitation Strategy

The goal is to modify a plugin setting (e.g., changing the google_drive_client_id) to demonstrate unauthorized data modification.

Step 1: Discover the Trigger Parameter

Identify the exact POST parameter that triggers the save logic. Common candidates for this plugin:

  • pdfp_settings_save
  • pdfp_save_settings
  • submit_pdfp_settings

Step 2: Craft the Payload

Send a request to update a non-destructive setting.

HTTP Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=pdfp_save_settings&pdfp_settings[google_drive_client_id]=PwnedByExploit&pdfp_settings_save=1
    
    (Note: The action may vary. If admin_init is the sink, the action can be anything, but the specific pdfp_settings parameters must be present.)

6. Test Data Setup

  1. Install Plugin: Ensure PDF Poster <= 2.4.1 is installed.
  2. Create a Test Poster:
    • wp post create --post_type=pdfp_poster --post_title="Test PDF" --post_status=publish
  3. Check Initial Settings:
    • wp option get pdfp_settings (to verify the baseline).

7. Expected Results

  • Response: The server returns a 200 OK or 302 Redirect.
  • Database Change: The pdfp_settings option in the wp_options table is updated with the attacker-supplied value.

8. Verification Steps

After performing the http_request, verify the change via WP-CLI:

# Check if the specific key in the serialized option was updated
wp option get pdfp_settings --format=json | jq '."google_drive_client_id"'

Success Criteria: The output should be "PwnedByExploit".

9. Alternative Approaches

If pdfp_save_settings is not the vulnerable function, target notice dismissal:

  • Action: pdfp_dismiss_notice (Inferred from build/admin.js strings like fpdf_import_notice).
  • Payload: action=pdfp_dismiss_notice&notice_id=import_notice.
  • Verification: Check if the notice-related option (e.g., pdfp_notices) is updated in the database.

If the plugin uses the Codestar Framework (suggested by csf-field in admin.css), the AJAX action might be:

  • Action: pdfp_framework_save
  • Body: action=pdfp_framework_save&data[google_drive_client_id]=PwnedByExploit
Research Findings
Static analysis — not yet PoC-verified

Summary

The PDF Poster plugin for WordPress (versions <= 2.4.1) is vulnerable to unauthorized setting modification due to a lack of capability and nonce checks on administrative functions hooked to admin_init. This allows unauthenticated attackers to update plugin configurations by sending crafted requests to the site's admin handlers.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/pdf-poster/2.4.1/build/admin.asset.php /home/deploy/wp-safety.org/data/plugin-versions/pdf-poster/2.5.0/build/admin.asset.php
--- /home/deploy/wp-safety.org/data/plugin-versions/pdf-poster/2.4.1/build/admin.asset.php	2026-02-09 06:41:04.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/pdf-poster/2.5.0/build/admin.asset.php	2026-03-04 04:02:40.000000000 +0000
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '4c38a938fd9f9307ccf9');
+<?php return array('dependencies' => array(), 'version' => '2d8f0a1d0d0332bb032e');

Exploit Outline

The attacker targets administrative functions (e.g., pdfp_save_settings) that are improperly registered via the admin_init hook without accompanying authorization checks. By sending an unauthenticated POST request to /wp-admin/admin-ajax.php containing the appropriate trigger parameters (such as pdfp_settings_save) and a payload of new configuration values (e.g., google_drive_client_id), an attacker can overwrite plugin settings. The vulnerability stems from the plugin's failure to call current_user_can() and check_ajax_referer() before processing sensitive setting updates.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.