Description
The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure to Authenticated Users
Action: Apply Patch
AI Analysis

Impact

The Katalogportal PDF Sync plugin for WordPress, up to version 1.0.0, lacks proper authorization checks on its AJAX handler. Because the handler is registered without capability checks or nonce verification, any authenticated user—including subscribers—can invoke the endpoint. The endpoint returns a complete list of synchronized PDF attachments, including those attached to private or draft posts, along with their titles, filenames, and a configuration value. This exposes internal metadata and file names, constituting an information‑disclosure vulnerability identified as unauthorized access (CWE‑862).

Affected Systems

WordPress sites running the Katalogportal PDF Sync plugin version 1.0.0 or earlier are affected. The plugin is distributed by colbeinformatik under the name Katalogportal PDF Sync Widget. No additional operating system or WordPress version constraints are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The flaw can be exploited by any authenticated WordPress user, a condition that can arise from legitimate access or credential compromise. Because the endpoint returns data from attachments associated with private or draft posts, the disclosed information may contain sensitive filenames and metadata. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, implying that current exploitation activity is uncertain.

Generated by OpenCVE AI on April 15, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Katalogportal PDF Sync plugin to the latest release that includes an authorization check for the AJAX handler.
  • If an update cannot be applied immediately, modify the plugin’s admin.php file to add a capability check—such as current_user_can('edit_posts')—before executing the callback, or replace the add_action( 'wp_ajax_katalogportal_shortcodePrinter', … ) line with a role‑restricted hook.
  • As an interim workaround, block or delete the vulnerable AJAX endpoint by commenting out its registration or by configuring a firewall to drop requests to admin‑ajax.php with the action parameter katalogportal_shortcodePrinter from subscribers or lower roles.

Generated by OpenCVE AI on April 15, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Colbeinformatik
Colbeinformatik katalogportal-pdf-sync Widget
Wordpress
Wordpress wordpress
Vendors & Products Colbeinformatik
Colbeinformatik katalogportal-pdf-sync Widget
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.
Title Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Colbeinformatik Katalogportal-pdf-sync Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T15:42:28.267Z

Reserved: 2026-03-06T16:23:45.982Z

Link: CVE-2026-3649

cve-icon Vulnrichment

Updated: 2026-04-15T15:42:24.010Z

cve-icon NVD

Status : Received

Published: 2026-04-15T09:16:31.917

Modified: 2026-04-15T09:16:31.917

Link: CVE-2026-3649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:17Z

Weaknesses