Skip to main content

bPlugins PDF Poster CVE-2026-27416

| EUVDEUVD-2026-28336 MEDIUM
Missing Authorization (CWE-862)
2026-05-07 Patchstack GHSA-qxq7-73m9-xj3m
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 09:45 vuln.today
CVE Published
May 07, 2026 - 08:38 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects PDF Poster: from n/a through 2.4.1.

AnalysisAI

Missing authorization controls in bPlugins PDF Poster WordPress plugin versions up to 2.4.1 allow unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control. The vulnerability exposes limited confidential data without requiring authentication or user interaction, affecting all default installations of the affected plugin versions.

Technical ContextAI

bPlugins PDF Poster is a WordPress plugin that manages PDF content generation and display. The vulnerability stems from improper access control implementation (CWE-862: Missing Authorization) in the plugin's backend API endpoints or functionality handlers. WordPress plugins interact with the WordPress REST API and internal request handlers, which must explicitly check user capabilities before executing sensitive operations. The affected versions fail to properly validate whether the requesting user has permission to access or retrieve PDF data, allowing the access control security levels to be bypassed entirely at the network layer without privilege escalation.

RemediationAI

Update bPlugins PDF Poster to a version newer than 2.4.1; the exact patched version is not specified in the available intelligence, so contact bPlugins or consult their official security advisory on Patchstack for the recommended fix version. As an immediate compensating control, restrict direct access to the plugin's API endpoints at the web server level by disabling REST API endpoints related to PDF Poster functionality if not actively required, or implement strict IP-based access control on the WordPress backend. If the plugin provides a settings option to require authentication for PDF retrieval, enable that setting. Disable the PDF Poster plugin entirely until a confirmed patch is deployed if the sensitive data it exposes is critical.

Share

CVE-2026-27416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy