CVE-2026-32416

Vulnerability

Overview

The PDF Poster plugin for WordPress, versions 2.4.0 and earlier, contains a missing authorization vulnerability [1]. This broken access control issue stems from the plugin's failure to properly verify user permissions or nonce tokens in certain functions, allowing unauthenticated or low-privileged users to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability remotely without authentication, as the plugin does not enforce proper access control checks [1]. The attack surface is broad because the plugin is widely used, and the vulnerability can be chained with other techniques to target thousands of sites in mass-exploit campaigns [1]. No special network position or user interaction is required beyond visiting a crafted URL or sending a malicious request.

Impact

Successful exploitation allows an attacker to perform unauthorized access to protected functionality, such as modifying plugin settings, accessing sensitive data, or performing other privileged actions [1]. The CVSS v3 score of 5.4 (Medium) reflects the potential for partial compromise of confidentiality and integrity, though the overall impact is limited compared to critical vulnerabilities [1].

Mitigation

The vendor has released version 2.4.1, which patches the missing authorization issue [1]. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].