CVE Catalog

CVE-2026-12407

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

30th percentile — higher than 30% of all known CVEs

Summary

The E2Pdf – Export Pdf Tool for WordPress plugin is vulnerable to Missing Authorization in versions up to and including 1.32.26. The screen_action() function lacks a dedicated capability check and nonce verification, allowing attackers to overwrite WordPress options.

Risk Assessment

Authenticated attackers with the appropriate permissions can gain access to WordPress options, potentially escalating their privileges to administrator level. This poses a serious security threat to the entire site.

Recommendation

It is recommended to update the E2Pdf plugin to the latest version to mitigate this vulnerability. Additionally, access to the e2pdf_templates capability should be restricted to trusted roles only.

Original NVD description (English source)

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS