Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.2.0.
Published: 2025-08-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting in the WordPress plugin PDF for Elementor Forms + Drag And Drop Template Builder. Stored XSS can let an attacker inject malicious scripts into pages viewed by other site users, enabling session hijacking, defacement, or phishing. The weakness is identified as CWE‑79, a classic input validation flaw.

Affected Systems

The affected product is add‑ons.org PDF for Elementor Forms + Drag And Drop Template Builder. Versions from the initial release through 6.2.0 are vulnerable. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% signals a very low probability that exploitation is currently occurring, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through stored user‑supplied data such as form responses or template fields; an attacker can submit malicious script via the plugin’s input fields, which is then rendered unescaped in page output for subsequent visitors. While this flaw does not allow remote code execution or privilege escalation, it can compromise confidentiality, integrity, and availability of user interactions on the site.

Generated by OpenCVE AI on April 30, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PDF for Elementor Forms + Drag And Drop Template Builder to a version higher than 6.2.0 released by add‑ons.org
  • If an upgrade cannot be performed immediately, deactivate the plugin or restrict public access to the affected forms and templates until the patch is applied
  • Audit existing form submissions and template contents for hidden scripts or unauthorized HTML, removing any malicious code found

Generated by OpenCVE AI on April 30, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25924 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder allows Stored XSS. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 6.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder allows Stored XSS. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 6.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Stored XSS.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.2.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 27 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder allows Stored XSS. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 6.2.0.
Title WordPress PDF for Elementor Forms + Drag And Drop Template Builder Plugin <= 6.2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:42.246Z

Reserved: 2025-08-27T16:19:10.126Z

Link: CVE-2025-58208

cve-icon Vulnrichment

Updated: 2025-08-27T19:29:30.875Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T18:15:48.817

Modified: 2026-04-23T15:33:18.383

Link: CVE-2025-58208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses