E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter

An authenticated attacker who has been granted the `e2pdf_templates` capability (which the plugin's Permissions UI allows administrators to assign to any role, including Subscriber) can send a POST request to `admin.php?page=e2pdf-templates&action=screen` with a valid `screenoptionnonce` and a crafted `wp_screen_options` payload. Because the `screen_action()` function is invoked without a dedicated capability check or nonce verification tied to the `e2pdf_templates` action, the attacker can overwrite arbitrary WordPress options such as `default_role` to `administrator`, thereby escalating privileges. [CWE-862] [ref_id=1]

The vulnerability resides in the `e2pdf-templates.php` controller, specifically in the `index_action()` method's nonce handling and the `screen_action()` function. The `index_action()` method checks for `screenoptionnonce` before the `e2pdf_templates` nonce, and when `screenoptionnonce` is present it calls `screen_action()` directly without verifying the `e2pdf_templates` capability or nonce. The `screen_action()` function then reads attacker-controlled option name and value from `$_POST['wp_screen_options']` and passes them to `update_option()` with no allowlist.

The advisory does not include a published patch. The recommended fix would be to add a dedicated capability check (e.g., `current_user_can('manage_options')`) inside `screen_action()` or to ensure that the `index_action()` method validates the `e2pdf_templates` nonce and capability before routing to `screen_action()`. Additionally, the option names passed to `update_option()` should be allowlisted to prevent arbitrary option overwrites.