Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gravity2pdf Gravity 2 PDF gf2pdf allows Reflected XSS.This issue affects Gravity 2 PDF: from n/a through <= 3.1.3.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from improper neutralization of user-supplied input during web page generation in the Gravity 2 PDF plugin. The plugin does not escape certain characters in incoming query parameters, allowing an attacker to inject arbitrary JavaScript that executes in the victim’s browser. This reflected XSS can enable credential theft, session hijacking, malicious redirects, and site defacement and is directly linked to CWE‑79, with a CVSS score of 7.1.

Affected Systems

The vulnerability affects the WordPress Gravity 2 PDF plugin in all versions up to and including 3.1.3. Any WordPress installation that has this plugin installed at a vulnerable version is at risk.

Risk and Exploitability

The vulnerability carries a moderate‑to‑high risk rating with a CVSS score of 7.1, while the EPSS score is under 1 %, indicating a low probability of exploitation in the wild; it is not currently listed in the CISA KEV catalog. The attack vector is likely achieved through reflected XSS, whereby an attacker crafts a malicious URL or input that the plugin includes unescaped in a generated page. Exploitation requires only that a victim’s browser renders the page with the injected payload, making the risk primarily dependent on user interaction.

Generated by OpenCVE AI on May 1, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gravity 2 PDF plugin to the latest released version that contains the XSS fix.
  • Remove or deactivate the plugin on any WordPress site where it is no longer needed.
  • Deploy a web application firewall rule that blocks reflected XSS payloads targeting the plugin’s inputs.

Generated by OpenCVE AI on May 1, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8144 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gravity2pdf Gravity 2 PDF allows Reflected XSS. This issue affects Gravity 2 PDF: from n/a through 3.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gravity2pdf Gravity 2 PDF allows Reflected XSS. This issue affects Gravity 2 PDF: from n/a through 3.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gravity2pdf Gravity 2 PDF gf2pdf allows Reflected XSS.This issue affects Gravity 2 PDF: from n/a through <= 3.1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gravity2pdf Gravity 2 PDF allows Reflected XSS. This issue affects Gravity 2 PDF: from n/a through 3.1.3.
Title WordPress Gravity 2 PDF plugin <= 3.1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.340Z

Reserved: 2025-03-11T08:09:27.024Z

Link: CVE-2025-28911

cve-icon Vulnrichment

Updated: 2025-03-26T14:56:56.320Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:16.493

Modified: 2026-04-23T15:26:35.267

Link: CVE-2025-28911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:15:20Z

Weaknesses