{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3649", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:23:45.982Z", "datePublished": "2026-04-15T08:28:15.977Z", "dateUpdated": "2026-04-15T15:42:28.267Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:15.977Z"}, "affected": [{"vendor": "colbeinformatik", "product": "Katalogportal-pdf-sync Widget", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status."}], "title": "Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a01e7b21-f3ff-42a8-b78a-ad69973eda01?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L12"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L12"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-04-14T19:45:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:42:17.519235Z", "id": "CVE-2026-3649", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:42:28.267Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3649", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:42:17.519235Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:42:24.010Z"}}], "cna": {"title": "Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "colbeinformatik", "product": "Katalogportal-pdf-sync Widget", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T19:45:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a01e7b21-f3ff-42a8-b78a-ad69973eda01?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L12"}, {"url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L12"}], "descriptions": [{"lang": "en", "value": "The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:15.977Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3649", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:42:28.267Z", "dateReserved": "2026-03-06T16:23:45.982Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T08:28:15.977Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status."}], "id": "CVE-2026-3649", "lastModified": "2026-04-15T09:16:31.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:31.917", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/tags/1.0.0/inc/class.admin.php#L209"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/katalogportal-pdf-sync/trunk/inc/class.admin.php#L209"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a01e7b21-f3ff-42a8-b78a-ad69973eda01?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Katalogportal-pdf-sync Widget", "source": "cna", "vendor": "colbeinformatik"}, "product": "katalogportal-pdf-sync_widget", "vendor": "colbeinformatik"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T10:50:56.999301+00:00", "value": {"mitigation_remediation": ["Update the Katalogportal PDF Sync plugin to the latest release that includes an authorization check for the AJAX handler.", "If an update cannot be applied immediately, modify the plugin\u2019s admin.php file to add a capability check\u2014such as current_user_can('edit_posts')\u2014before executing the callback, or replace the add_action( 'wp_ajax_katalogportal_shortcodePrinter', \u2026 ) line with a role\u2011restricted hook.", "As an interim workaround, block or delete the vulnerable AJAX endpoint by commenting out its registration or by configuring a firewall to drop requests to admin\u2011ajax.php with the action parameter katalogportal_shortcodePrinter from subscribers or lower roles."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure to Authenticated Users"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Katalogportal PDF Sync plugin version 1.0.0 or earlier are affected. The plugin is distributed by colbeinformatik under the name Katalogportal PDF Sync Widget. No additional operating system or WordPress version constraints are listed.", "description_and_impact": "The Katalogportal PDF Sync plugin for WordPress, up to version 1.0.0, lacks proper authorization checks on its AJAX handler. Because the handler is registered without capability checks or nonce verification, any authenticated user\u2014including subscribers\u2014can invoke the endpoint. The endpoint returns a complete list of synchronized PDF attachments, including those attached to private or draft posts, along with their titles, filenames, and a configuration value. This exposes internal metadata and file names, constituting an information\u2011disclosure vulnerability identified as unauthorized access (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The flaw can be exploited by any authenticated WordPress user, a condition that can arise from legitimate access or credential compromise. Because the endpoint returns data from attachments associated with private or draft posts, the disclosed information may contain sensitive filenames and metadata. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, implying that current exploitation activity is uncertain."}}}}, "created": "2026-04-15T13:49:14.862520+00:00", "updated": "2026-04-15T14:53:17.152293+00:00", "vendors": ["colbeinformatik", "colbeinformatik$PRODUCT$katalogportal-pdf-sync_widget", "wordpress", "wordpress$PRODUCT$wordpress"]}