Description
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.
Published: 2026-06-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the E2Pdf – Export Pdf Tool for WordPress plugin where the screen_action() endpoint fails to perform a capability check or nonce verification. The function reads arbitrary option names and values from the wp_screen_options POST variable and forwards them directly to WordPress’s update_option() call, making it a CWE-862 missing authorization flaw. An attacker who is authenticated and has been granted the e2pdf_templates capability, which the plugin allows to be assigned to any role, can overwrite any WordPress option such as default_role. This enables the attacker to elevate privileges to Administrator, compromising the confidentiality, integrity, and availability of the site.

Affected Systems

The issue affects the Oleksandrz E2Pdf – Export Pdf Tool for WordPress plugin for WordPress. All releases up to and including version 1.32.26 are vulnerable. Users running any earlier version in that range are susceptible.

Risk and Exploitability

The flaw scores a CVSS of 8.8, indicating high severity. EPSS is reported as < 1 %, suggesting a low likelihood of exploitation in the wild at present. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires an authenticated user with the e2pdf_templates capability; by sending a crafted POST request to the ?action=screen route, the attacker bypasses nonce verification and can update any option. The potential impact is full privilege escalation to an Administrator level.

Generated by OpenCVE AI on June 18, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest E2Pdf plugin update that addresses the missing capability checks and nonce validation on the screen_action endpoint.
  • Revoke the e2pdf_templates capability from all non‑administrator roles using the plugin’s Permissions UI or the WordPress role editor, ensuring only Administrators retain that ability.
  • If an immediate update is unavailable, modify the screen_action handler to enforce both capability verification and nonce validation before calling update_option(), or block external requests to the screen_action route altogether.

Generated by OpenCVE AI on June 18, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Oleksandrz
Oleksandrz e2pdf – Export Pdf Tool For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Oleksandrz
Oleksandrz e2pdf – Export Pdf Tool For Wordpress
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.
Title E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oleksandrz E2pdf – Export Pdf Tool For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T12:46:32.925Z

Reserved: 2026-06-16T14:20:41.938Z

Link: CVE-2026-12407

cve-icon Vulnrichment

Updated: 2026-06-18T12:46:23.641Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:45:03Z

Weaknesses