Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PDF Poster: from n/a through 2.4.1.
AnalysisAI
Missing authorization controls in bPlugins PDF Poster WordPress plugin versions up to 2.4.1 allow unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control. The vulnerability exposes limited confidential data without requiring authentication or user interaction, affecting all default installations of the affected plugin versions.
Technical ContextAI
bPlugins PDF Poster is a WordPress plugin that manages PDF content generation and display. The vulnerability stems from improper access control implementation (CWE-862: Missing Authorization) in the plugin's backend API endpoints or functionality handlers. WordPress plugins interact with the WordPress REST API and internal request handlers, which must explicitly check user capabilities before executing sensitive operations. The affected versions fail to properly validate whether the requesting user has permission to access or retrieve PDF data, allowing the access control security levels to be bypassed entirely at the network layer without privilege escalation.
RemediationAI
Update bPlugins PDF Poster to a version newer than 2.4.1; the exact patched version is not specified in the available intelligence, so contact bPlugins or consult their official security advisory on Patchstack for the recommended fix version. As an immediate compensating control, restrict direct access to the plugin's API endpoints at the web server level by disabling REST API endpoints related to PDF Poster functionality if not actively required, or implement strict IP-based access control on the WordPress backend. If the plugin provides a settings option to require authentication for PDF retrieval, enable that setting. Disable the PDF Poster plugin entirely until a confirmed patch is deployed if the sensitive data it exposes is critical.
More in Pdf Poster
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poste
bPlugins PDF Poster through version 2.4.0 contains an authorization bypass vulnerability that allows authenticated users
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28336
GHSA-qxq7-73m9-xj3m