{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32349", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:47.068Z", "datePublished": "2026-03-13T11:41:58.830Z", "dateUpdated": "2026-04-29T09:51:57.755Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "embed-pdf-viewer", "product": "Embed PDF Viewer", "vendor": "Andy Fragen", "versions": [{"changes": [{"at": "2.4.8", "status": "unaffected"}], "lessThanOrEqual": "2.4.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mike Montoya | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:38.943Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.<p>This issue affects Embed PDF Viewer: from n/a through <= 2.4.7.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.This issue affects Embed PDF Viewer: from n/a through <= 2.4.7."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.755Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/embed-pdf-viewer/vulnerability/wordpress-embed-pdf-viewer-plugin-2-4-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Embed PDF Viewer plugin <= 2.4.7 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T20:04:20.559332Z", "id": "CVE-2026-32349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:05:38.080Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T20:04:20.559332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:03:06.801Z"}}], "cna": {"title": "WordPress Embed PDF Viewer plugin <= 2.4.7 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mike Montoya | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "Andy Fragen", "product": "Embed PDF Viewer", "versions": [{"status": "affected", "changes": [{"at": "2.4.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.4.7"}], "packageName": "embed-pdf-viewer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:24.818Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/embed-pdf-viewer/vulnerability/wordpress-embed-pdf-viewer-plugin-2-4-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.This issue affects Embed PDF Viewer: from n/a through <= 2.4.7.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.<p>This issue affects Embed PDF Viewer: from n/a through <= 2.4.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:41:58.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32349", "state": "PUBLISHED", "dateUpdated": "2026-03-13T20:05:38.080Z", "dateReserved": "2026-03-12T11:10:47.068Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:41:58.830Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.This issue affects Embed PDF Viewer: from n/a through <= 2.4.7."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Andy Fragen Embed PDF Viewer embed-pdf-viewer permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta a Embed PDF Viewer: desde n/a hasta &lt;= 2.4.7."}], "id": "CVE-2026-32349", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:46.793", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/embed-pdf-viewer/vulnerability/wordpress-embed-pdf-viewer-plugin-2-4-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.4.8"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Embed PDF Viewer", "source": "cna", "vendor": "Andy Fragen"}, "product": "embed_pdf_viewer", "vendor": "andy_fragen"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:50:30.037807+00:00", "value": {"mitigation_remediation": ["Update the Embed PDF Viewer plugin to a version newer than 2.4.7.", "If updating immediately is not possible, disable the plugin until a fix is available.", "Ensure the WordPress site restricts access to the plugin interface to trusted administrators only and monitor for suspicious activity."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Embed PDF Viewer plugin developed by Andy Fragen. All installations running any version up to and including 2.4.7 are vulnerable. No additional edition or configuration requirements are listed.", "description_and_impact": "This vulnerability is a Server\u2011Side Request Forgery (SSRF) that allows an attacker to make the Embed PDF Viewer plugin fetch arbitrary resources from the host system. The flaw stems from the plugin accepting a user\u2011supplied PDF URL without adequate validation, enabling requests to internal or external services. Successful exploitation could lead to data exfiltration, bypassing network perimeter defenses, or using the affected server as a proxy for further attacks. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS base score of 4.9 indicates moderate severity, and the EPSS score of less than 1% denotes a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to involve submitting a crafted PDF URL through the plugin\u2019s interface or sending a specially crafted request to the plugin endpoint, typically requiring a user session with upload or plugin management permissions. While the exploit does not provide immediate remote code execution, it can expose internal network resources and serve as a stepping stone for more dangerous attacks."}}}}, "created": "2026-03-16T09:34:57.058885+00:00", "updated": "2026-03-23T09:59:07.090394+00:00", "vendors": ["andy_fragen", "andy_fragen$PRODUCT$embed_pdf_viewer", "wordpress", "wordpress$PRODUCT$wordpress"]}