Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced wp-post-to-pdf-enhanced allows Stored XSS.This issue affects WP Post to PDF Enhanced: from n/a through <= 1.1.1.
Published: 2025-04-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Post to PDF Enhanced plugin version 1.1.1 and earlier suffers from a stored cross‑site scripting (XSS) flaw caused by inadequate neutralization of user input before rendering. The vulnerability allows a malicious actor to embed JavaScript that executes when a victim loads a page containing the injected content, potentially hijacking sessions, delivering malware, or compromising credentials. This weakness is classified as CWE‑79, a classic input validation issue.

Affected Systems

Beth Tucker Long WP Post to PDF Enhanced plugin, all releases from the initial launch through version 1.1.1 are impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog, which further limits current exploitation momentum. Attackers would need to inject malicious payload via an interface that stores the content—likely an editor or custom field—after which any user who views the affected page would be exposed to the script. The attack vector is therefore stored XSS, predicated on the ability to write content that is persisted and displayed later.

Generated by OpenCVE AI on May 1, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Post to PDF Enhanced plugin to a version later than 1.1.1, which removes the stored XSS vector.
  • Restrict content editing access to trusted users and verify any custom fields to ensure that injected scripts are not stored.
  • Deploy a web application firewall or input sanitizer to filter and block malicious scripts before they reach the database.

Generated by OpenCVE AI on May 1, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11561 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced allows Stored XSS. This issue affects WP Post to PDF Enhanced: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced allows Stored XSS. This issue affects WP Post to PDF Enhanced: from n/a through 1.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced wp-post-to-pdf-enhanced allows Stored XSS.This issue affects WP Post to PDF Enhanced: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced allows Stored XSS. This issue affects WP Post to PDF Enhanced: from n/a through 1.1.1.
Title WordPress WP Post to PDF Enhanced plugin <= 1.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.300Z

Reserved: 2025-04-16T06:23:07.437Z

Link: CVE-2025-39427

cve-icon Vulnrichment

Updated: 2025-04-17T16:08:52.396Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:52.750

Modified: 2026-04-23T15:29:32.043

Link: CVE-2025-39427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses