{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22350", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.919Z", "datePublished": "2026-02-20T15:47:00.543Z", "dateUpdated": "2026-04-28T16:47:45.754Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pdf-for-elementor-forms", "product": "PDF for Elementor Forms + Drag And Drop Template Builder", "vendor": "add-ons.org", "versions": [{"changes": [{"at": "6.5.0", "status": "unaffected"}], "lessThanOrEqual": "6.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:19:55.559Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.</p>"}], "value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.231Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T14:39:31.367807Z", "id": "CVE-2026-22350", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:47:45.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T14:39:31.367807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T14:38:40.508Z"}}], "cna": {"title": "WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "add-ons.org", "product": "PDF for Elementor Forms + Drag And Drop Template Builder", "versions": [{"status": "affected", "changes": [{"at": "6.5.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.3.1"}], "packageName": "pdf-for-elementor-forms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:19:55.559Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.231Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22350", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:47:45.754Z", "dateReserved": "2026-01-07T12:21:19.919Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:00.543Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a PDF for Elementor Forms + Drag And Drop Template Builder: desde n/a hasta &lt;= 6.3.1."}], "id": "CVE-2026-22350", "lastModified": "2026-04-28T19:36:30.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:33.937", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.3.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "6.5.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PDF for Elementor Forms + Drag And Drop Template Builder", "source": "cna", "vendor": "add-ons.org"}, "product": "pdf_for_elementor_forms_+_drag_and_drop_template_builder", "vendor": "add-ons.org"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T16:44:50.734655+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (6.3.2 or newer) to eliminate the missing authorization flaw.", "Re\u2011configure the plugin\u2019s access control settings to restrict PDF generation and other sensitive operations to appropriate user roles, ensuring that unauthenticated or low\u2011privileged users cannot trigger these functions.", "Disable or remove the drag\u2011and\u2011drop template builder feature if it is not required, reducing the attack surface.", "Implement web application firewall rules or other controls to block unauthorized requests to the plugin\u2019s public endpoints.", "Regularly review WordPress logs for unexpected or repeated requests to the plugin\u2019s endpoints and investigate anomalous activity promptly."], "summary": {"action": "Patch Upgrade", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the add\u2011ons.org PDF for Elementor Forms + Drag And Drop Template Builder plugin installed, versions from the initial release through 6.3.1, are affected. Any installation that has not yet updated to a fixed version remains vulnerable.", "description_and_impact": "CVE-2026\u201122350 describes a missing authorization flaw (CWE\u2011862) in the add\u2011ons.org PDF for Elementor Forms + Drag And Drop Template Builder plugin. The vulnerability permits exploitation of incorrectly configured access control security levels, potentially allowing an attacker to access or use functionality that should be restricted. The description does not specify whether PDF files, form data, or other plugin features are exposed; the impact is therefore limited to unauthorized access to the affected functionality. ", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description of a missing authorization check, it is inferred that an attacker would need only to send requests to the plugin\u2019s endpoints via the web interface without proper authentication. The exact method of exploitation is not detailed in the CVE data."}}}}, "created": "2026-02-23T14:36:43.517490+00:00", "updated": "2026-04-16T16:45:25.961422+00:00", "vendors": ["add-ons.org", "add-ons.org$PRODUCT$pdf_for_elementor_forms_+_drag_and_drop_template_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}