CVE-2026-3649 MEDIUM

CVE-2026-3649: Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action

Vendor Colbeinformatik
Product Katalogportal-pdf-sync Widget
Weakness CWE-862 · Missing authorization
Published April 15, 2026
Last update April 15, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.

Explanation of Vulnerability in Simple Terms

02Summary

The Katalogportal-pdf-sync Widget through version 1.0.0 does not properly check user permissions before allowing access to sensitive functions. An attacker without authentication can read limited data from the widget. The vulnerability requires no user interaction and affects only the confidentiality of information accessible through the widget.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the widget without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can access limited sensitive information exposed by the widget.

Conditions required to exploit

05Prerequisites

Network access to the widget; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 15, 2026 CVE published
April 15, 2026 Record updated