Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in bPlugins PDF Poster pdf-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Poster: from n/a through <= 2.4.0.
AnalysisAI
bPlugins PDF Poster through version 2.4.0 contains an authorization bypass vulnerability that allows authenticated users to modify or disrupt PDF operations due to improperly configured access controls. An attacker with valid credentials could exploit this flaw to manipulate data integrity or cause service disruption without proper authorization checks.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to properly enforce authorization checks before allowing sensitive operations. The PDF Poster plugin, identified via CPE string cpe:2.3:a:bplugins:pdf-poster, is a WordPress plugin designed for PDF document handling and poster generation. The issue stems from incorrectly configured security levels in the plugin's role-based access control implementation, allowing authenticated users with lower privilege levels to access or modify functionality that should be restricted to higher-privileged roles (administrators or specific user groups). This is a common pattern in WordPress plugins where custom post types or AJAX endpoints lack proper capability checks.
RemediationAI
Immediately upgrade bPlugins PDF Poster to version 2.4.1 or later, which patches the authorization bypass by implementing proper capability checks and role-based access control enforcement. Patch availability should be verified via the official WordPress plugin repository (wordpress.org/plugins/pdf-poster) and the vendor's advisory page. As an interim mitigation measure, restrict user registration and limit the creation of low-privilege accounts on affected WordPress installations until patching is completed. Review and audit existing user roles and capabilities within the WordPress admin panel to ensure separation of duties. Consider using WordPress security plugins to add additional access control layers and monitor for suspicious privilege escalation attempts. Database and file backups should be taken before applying patches to ensure rollback capability if issues arise.
More in Pdf Poster
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poste
Missing authorization controls in bPlugins PDF Poster WordPress plugin versions up to 2.4.1 allow unauthenticated remote
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11937