CVE-2026-12407 oleksandrz CVE debrief

Who should care

WordPress administrators and users with the e2pdf_templates capability in their roles should be aware of this vulnerability. Site owners using the E2Pdf plugin should update to a patched version immediately to prevent potential privilege escalation attacks.

Technical summary

The E2Pdf plugin's screen_action() function does not perform a dedicated capability check or nonce verification when invoked via the ?action=screen routing path. This bypasses the controller's index_action() nonce gate entirely. The function reads an attacker-controlled option name and value from $_POST['wp_screen_options'] and passes them directly to update_option() without an allowlist. This relies solely on the page-level e2pdf_templates capability, which can be granted to any role, including Subscriber, Contributor, Author, or Editor, through the plugin's Permissions UI.

Defensive priority

High

Recommended defensive actions

• Update the E2Pdf – Export Pdf Tool for WordPress plugin to a version beyond 1.32.26.
• Review and restrict the e2pdf_templates capability to trusted roles only.
• Implement additional monitoring for suspicious updates to WordPress options.
• Enforce strong role-based access control for WordPress users.
• Regularly audit WordPress site configurations and user permissions.
• Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.

Evidence notes

This debrief is based on information from the National Vulnerability Database (NVD) and Wordfence security research. The vulnerability details were sourced from official CVE and NVD records, as well as references provided by security researchers at Wordfence.

Official resources