Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable admin endpoint (AV:N), no special timing (AC:L), requires a low-privilege authenticated account with delegated capability (PR:L), no admin interaction (UI:N), and arbitrary option overwrite yields full site compromise (C/I/A:H).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The E2Pdf - Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification - when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely - while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.
Articles & Coverage 1
AnalysisAI
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session on a site running E2Pdf ≤ 1.32.26 where an administrator has granted the e2pdf_templates capability to a non-administrator role via the plugin's built-in Permissions UI - without that grant, the page-level capability check blocks the request. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H accurately reflects a network-reachable, low-complexity privilege escalation that requires only a low-privileged authenticated session and yields full administrator control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privilege account (e.g., Subscriber on a site that allows registration) that has been granted the e2pdf_templates capability via the plugin's Permissions UI. They send an authenticated POST request to the E2Pdf templates admin page with ?action=screen and wp_screen_options[option_name]=default_role&wp_screen_options[value]=administrator, which bypasses the index_action() nonce gate and writes the value through update_option(). … |
| Remediation | Upstream fix available (changeset 3574750 in the WordPress.org plugin repository); a released patched version is not independently confirmed from the supplied data, so administrators should update to the latest available E2Pdf release published after the 1.32.26 changeset and verify via https://plugins.trac.wordpress.org/changeset?old=3574750%40e2pdf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations using E2Pdf plugin; document version numbers; audit and document which users hold the e2pdf_templates capability; scan admin logs for recent unauthorized account changes or administrative actions by low-privilege accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37836
GHSA-cg97-5gg4-vc94