CVE-2026-3649 describes a missing authorization vulnerability (CWE-862) in the colbeinformatik Katalogportal-pdf-sync Widget for WordPress. The katalogportal_popup_shortcode() function is registered as an AJAX handler without any user capability or nonce checks, allowing any authenticated user to access it. This endpoint returns a list of all synchronized PDF attachments, including those attached to private or draft posts, exposing titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status 'any', which bypasses visibility restrictions on parent posts. The vulnerability affects all versions up to and including 1.0.0. No patch or official remediation is currently available.

An attacker with any authenticated WordPress user account, including low-privilege roles like Subscriber, can retrieve sensitive information about PDF attachments that should be restricted. This includes PDFs attached to private or draft posts, potentially exposing confidential or unpublished content. The exposure of the katalogportal_userid configuration value may also aid further reconnaissance. There is no indication of impact on data integrity or availability, only confidentiality is affected. The CVSS score is 5.3 (medium severity), reflecting the limited scope to authenticated users and read-only data exposure.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting access to the AJAX endpoint by custom code or disabling the plugin if possible. Monitoring for unauthorized access attempts and limiting user roles that can authenticate may reduce risk. No official patch or temporary fix is currently documented.