This vulnerability arises from improper neutralization of input during web page generation, allowing a stored cross‑site scripting (XSS) attack. A malicious actor can inject arbitrary JavaScript that will execute in the browsers of users who view pages rendered by the plugin, potentially leading to data theft, session hijacking, or defacement. The weakness is a classic input‑validation flaw (CWE‑79). The CVSS score of 6.5 reflects a moderate severity; however, it does not grant remote code execution or privilege escalation in the host environment.

WordPress sites that have the wp‑mpdf plugin installed with a version up to and including 3.9.1 are affected. No other vendors or product versions are listed. Organizers should verify the exact plugin version in use and consider all installations of the stated plugin range.

The EPSS score is below 1%, indicating that the likelihood of a publicly automated exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The most probable attack path involves an attacker submitting malicious content through the plugin’s interface, which is then stored and subsequently rendered to site visitors. While authentication requirements are not explicitly stated, the stored nature of the flaw means that any user who can trigger the rendering will see the injected script, making it a moderate‑risk threat for affected sites.