CVE-2026-12407 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1233
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1235
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L23
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/helper/e2pdf-view.php#L90
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1233
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1235
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L23
https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/helper/e2pdf-view.php#L90
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574750%40e2pdf&new=3574750%40e2pdf&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/ee4c5d34-74cb-443b-9323-90580dbe675e?source=cve

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.
Title		E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1233 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1235 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L23 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/helper/e2pdf-view.php#L90 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1233 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1235 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L23 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/helper/e2pdf-view.php#L90 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574750%40e2pdf&new=3574750%40e2pdf&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/ee4c5d34-74cb-443b-9323-90580dbe675e?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12407", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-06-16T14:20:41.938Z", "datePublished": "2026-06-18T03:41:39.487Z", "dateUpdated": "2026-06-18T12:46:32.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-18T03:41:39.487Z"}, "affected": [{"vendor": "oleksandrz", "product": "E2Pdf \u2013 Export Pdf Tool for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.32.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The E2Pdf \u2013 Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification \u2014 when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely \u2014 while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator."}], "title": "E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee4c5d34-74cb-443b-9323-90580dbe675e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1235"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/helper/e2pdf-view.php#L90"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1235"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/helper/e2pdf-view.php#L90"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574750%40e2pdf&new=3574750%40e2pdf&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bui Duy"}], "timeline": [{"time": "2026-06-16T14:35:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-06-17T14:55:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-18T12:44:51.352413Z", "id": "CVE-2026-12407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T12:46:32.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-18T12:44:51.352413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T12:46:23.641Z"}}], "cna": {"title": "E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Bui Duy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "oleksandrz", "product": "E2Pdf \u2013 Export Pdf Tool for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.32.26"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-06-16T14:35:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-06-17T14:55:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee4c5d34-74cb-443b-9323-90580dbe675e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1235"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/helper/e2pdf-view.php#L90"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.26/classes/controller/e2pdf-templates.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1235"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/helper/e2pdf-view.php#L90"}, {"url": "https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.11/classes/controller/e2pdf-templates.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574750%40e2pdf&new=3574750%40e2pdf&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The E2Pdf \u2013 Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification \u2014 when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely \u2014 while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-18T03:41:39.487Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12407", "state": "PUBLISHED", "dateUpdated": "2026-06-18T12:46:32.925Z", "dateReserved": "2026-06-16T14:20:41.938Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-06-18T03:41:39.487Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object