What the vulnerability does
01Description
The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.
Explanation of Vulnerability in Simple Terms
02Summary
The Katalogportal-pdf-sync Widget through version 1.0.0 does not properly check user permissions before allowing access to sensitive functions. An attacker without authentication can read limited data from the widget. The vulnerability requires no user interaction and affects only the confidentiality of information accessible through the widget.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the widget without authentication.
Potential impact on your site
04Site Impact
Unauthorized users can access limited sensitive information exposed by the widget.
Conditions required to exploit
05Prerequisites
Network access to the widget; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 15, 2026
CVE published
April 15, 2026
Record updated