Skip to main content

E2Pdf WordPress Plugin CVE-2026-12407

| EUVDEUVD-2026-37836 HIGH
Missing Authorization (CWE-862)
2026-06-18 Wordfence GHSA-cg97-5gg4-vc94
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable admin endpoint (AV:N), no special timing (AC:L), requires a low-privilege authenticated account with delegated capability (PR:L), no admin interaction (UI:N), and arbitrary option overwrite yields full site compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 04:43 vuln.today
CVE Published
Jun 18, 2026 - 03:41 cve.org
HIGH 8.8

DescriptionCVE.org

The E2Pdf - Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification - when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely - while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.

AnalysisAI

Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege authenticated account
Delivery
Confirm e2pdf_templates capability granted
Exploit
POST to admin page with action=screen and crafted wp_screen_options
Install
Bypass nonce gate via screen_action() path
C2
update_option('default_role','administrator') executes
Execute
Register new account auto-promoted to administrator
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session on a site running E2Pdf ≤ 1.32.26 where an administrator has granted the e2pdf_templates capability to a non-administrator role via the plugin's built-in Permissions UI - without that grant, the page-level capability check blocks the request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H accurately reflects a network-reachable, low-complexity privilege escalation that requires only a low-privileged authenticated session and yields full administrator control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege account (e.g., Subscriber on a site that allows registration) that has been granted the e2pdf_templates capability via the plugin's Permissions UI. They send an authenticated POST request to the E2Pdf templates admin page with ?action=screen and wp_screen_options[option_name]=default_role&wp_screen_options[value]=administrator, which bypasses the index_action() nonce gate and writes the value through update_option(). …
Remediation Upstream fix available (changeset 3574750 in the WordPress.org plugin repository); a released patched version is not independently confirmed from the supplied data, so administrators should update to the latest available E2Pdf release published after the 1.32.26 changeset and verify via https://plugins.trac.wordpress.org/changeset?old=3574750%40e2pdf. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations using E2Pdf plugin; document version numbers; audit and document which users hold the e2pdf_templates capability; scan admin logs for recent unauthorized account changes or administrative actions by low-privilege accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy