CVE-2026-27416

The PDF Poster plugin for WordPress (versions through 2.4.1) contains a missing authorization vulnerability. The plugin fails to properly check user capabilities or nonce tokens in certain functions, allowing unauthenticated or low-privileged users to access and execute actions intended for higher-privileged roles [1].

Attackers can exploit this flaw without any authentication, as the access control checks are incorrectly configured. This vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their size or traffic [1].

Successful exploitation allows an attacker to perform unauthorized actions, such as modifying plugin settings or accessing sensitive data, depending on the missing authorization context. The CVSS v3 base score is 5.3 (Medium), reflecting the potential for unauthorized access without complex prerequisites [1].

The vendor has released version 2.5.0, which addresses the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. Although the vendor rates the impact as low and exploitation unlikely, the active use in mass campaigns warrants prompt patching [1].