CVE-2026-12407

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen action() function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path the controller's index action() nonce gate is bypassed entirely — while reading an attacker-controlled option name and value from $ POST['wp screen options'] and passing them directly to update option() with no allowlist, relying solely on the page-level e2pdf templates capability which the plugin's own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf templates capability, to overwrite arbitrary WordPress options such as default role and thereby escalate their privileges to administrator.