CVE-2026-12407
Received Received - Intake
E2Pdf WordPress Plugin Missing Authorization Vulnerability

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification β€” when invoked via the ?action=screen routing path the controller's index_action() nonce gate is bypassed entirely β€” while reading an attacker-controlled option name and value from $_POST['wp_screen_options'] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-12407
EUVD
EUVD-2026-37836
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
e2pdf e2pdf_export_pdf_tool to 1.32.26 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The E2Pdf – Export Pdf Tool for WordPress plugin is vulnerable to Missing Authorization in versions up to and including 1.32.26. This vulnerability arises because the screen_action() function does not perform a dedicated capability check or nonce verification. When accessed via the ?action=screen routing path, it bypasses the usual nonce check in index_action(). The function reads an attacker-controlled option name and value from the POST parameter 'wp_screen_options' and passes them directly to update_option() without any allowlist. The plugin relies only on the e2pdf_templates capability, which administrators can grant to any role, including low-privilege roles like Subscriber, Contributor, Author, or Editor. This allows an authenticated attacker with a custom role granted this capability to overwrite arbitrary WordPress options, such as default_role, enabling privilege escalation to administrator.

Impact Analysis

This vulnerability can allow an authenticated attacker with a custom role that has been granted the e2pdf_templates capability to overwrite arbitrary WordPress options. For example, they could change the default_role option to escalate their privileges to administrator. This leads to a full compromise of the WordPress site, including the ability to modify content, install malicious plugins or themes, and access sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart