CVE-2026-12407

HIGH EPSS 30.6%
Published Jun 18, 20262w ago · Modified Jun 18, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Jun 18, 2026 2w ago
Last Modified Jun 18, 2026 2w ago

Description

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
30.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

References 10

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1233
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1235
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L23
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/helper/e2pdf-view.php#L90
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1233
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1235
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L23
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/helper/e2pdf-view.php#L90
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574750%40e2pdf&new=3574750%40e2pdf&sfp_email=&sfph_mail=
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/ee4c5d34-74cb-443b-9323-90580dbe675e?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.