CVE-2026-32442

Vulnerability

Overview

The E2Pdf plugin for WordPress versions up to and including 1.28.15 suffers from a Missing Authorization vulnerability (CWE-862). This broken access control issue means that certain functions within the plugin lack proper authorization or nonce token checks, allowing an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this flaw without needing authentication or with minimal privileges, depending on the specific unprotected function. Since this vulnerability lies in incorrectly configured access control security levels, it can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously [1]. The attack surface is broad, as the plugin is widely installed.

Impact

Successful exploitation could allow an attacker to perform unauthorized operations normally reserved for higher-privilege roles, such as managing PDF templates or accessing sensitive data. This can lead to further compromise of the WordPress site, including data theft or site defacement.

Mitigation

The vulnerability is addressed in version 1.32.00 of the E2Pdf plugin. Users are strongly advised to update immediately. For those unable to update, applying a web application firewall rule or contacting a hosting provider for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].