Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 2.1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS flaw caused by improper neutralization of user input during web page generation in PDF Generator Addon for Elementor Page Builder. An attacker can inject malicious script that will be executed in the browsers of any user who views the affected PDFs, leading to credential theft, defacement, or phishing attacks. This weakness aligns with CWE-79 and can compromise confidentiality and integrity for all visitors of the infected site.

Affected Systems

The plugin is sold by RedefiningTheWeb under the name PDF Generator Addon for Elementor Page Builder. Versions from the initial release up to and including 2.1.0 are vulnerable. The affected product is a WordPress plugin that integrates with the Elementor page builder; specific installation details beyond the plugin name are not supplied.

Risk and Exploitability

The CVSS score of 6.5 places this in the medium severity range. The EPSS score of less than 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Because it is a stored XSS that requires the attacker to create or modify content within the CMS, an attacker would need some level of authenticated access or client‑side interaction that stores malicious payloads. No external network exposure or privileged escalation is required, which limits the attack vector to authenticated content creation or injection.

Generated by OpenCVE AI on May 1, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PDF Generator Addon for Elementor Page Builder to the latest version (≥ 2.2.0) or any release that removes the flaw
  • Implement strict input sanitization for any content fields that generate PDFs, ensuring that characters such as <, >, and & are properly escaped in PDFs
  • Review user privileges in WordPress and limit who can create or edit content that feeds into PDF generation; disable these capabilities for untrusted users

Generated by OpenCVE AI on May 1, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9196 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder allows Stored XSS. This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through 1.7.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder allows Stored XSS. This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through 1.7.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 2.1.0.
Title WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.5 - Cross Site Scripting (XSS) vulnerability WordPress PDF Generator Addon for Elementor Page Builder plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder allows Stored XSS. This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through 1.7.5.
Title WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.264Z

Reserved: 2025-04-01T13:21:00.364Z

Link: CVE-2025-31850

cve-icon Vulnrichment

Updated: 2025-04-01T16:01:13.803Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:26.157

Modified: 2026-04-23T15:28:24.980

Link: CVE-2025-31850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:00:06Z

Weaknesses