Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf e2pdf e2pdf.This issue affects e2pdf: from n/a through <= 1.28.09.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability results from improper neutralization of user input during web page generation in the E2Pdf e2pdf WordPress plugin. The flaw allows malicious script code to be incorporated into pages served by the plugin, creating a classic Cross‑Site Scripting condition that can be triggered when a victim visits a crafted page or submits data that is rendered by the plugin.

Affected Systems

Any WordPress site that has the E2Pdf e2pdf plugin version 1.28.09 or earlier installed is affected. The issue is present in all releases from the start of the plugin’s version history up through 1.28.09; the starting affected version is not specified, so all sites using these or older releases should assume the flaw exists.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, while an EPSS score below 1% suggests that exploitation is currently rare. The vulnerability is not listed in CISA KEV. The attack vector is client‑side XSS, inferring that an attacker would need a victim to visit a crafted URL or submit malicious data that reaches the plugin’s rendering path. No specific exploitation conditions are detailed beyond that requirement.

Generated by OpenCVE AI on April 29, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the E2Pdf e2pdf WordPress plugin to a release newer than 1.28.09 where the XSS issue has been resolved.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the e2pdf plugin to eliminate the attack surface until a fix is available.
  • Implement routine input validation and output encoding on any user‑created content that passes through the e2pdf rendering process to guard against future injection flaws.

Generated by OpenCVE AI on April 29, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:e2pdf:e2pdf:*:*:*:*:*:wordpress:*:*

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared E2pdf
E2pdf e2pdf
Wordpress
Wordpress wordpress
Vendors & Products E2pdf
E2pdf e2pdf
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf e2pdf e2pdf.This issue affects e2pdf: from n/a through <= 1.28.09.
Title WordPress e2pdf plugin <= 1.28.09 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

E2pdf E2pdf
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:52:57.495Z

Reserved: 2025-10-07T15:34:44.824Z

Link: CVE-2025-62068

cve-icon Vulnrichment

Updated: 2025-10-23T14:28:09.272Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-22T15:16:05.590

Modified: 2026-01-21T21:03:23.503

Link: CVE-2025-62068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses