Description
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the E2Pdf WordPress plugin that allows an authenticated user with Contributor role or higher to inject arbitrary JavaScript via the id attribute of the e2pdf-download shortcode. The attacker can store malicious scripts in the database; any visitor who loads a page containing the shortcode will execute the injected code. This can lead to defacement, session hijacking, cookie theft, and other client‑side compromises, affecting confidentiality, integrity, and availability of the site for users.

Affected Systems

The flaw affects all installations of the E2Pdf – Export Pdf Tool for WordPress plugin with a version of 1.32.17 or earlier. No other products or versions are impacted at the time of this analysis.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV. An attacker must be logged in with Contributor or higher privileges to exploit the flaw. The attack path requires the attacker to create or edit a post or page, insert the vulnerable shortcode with a malicious id value, and then have other site visitors load the page. This stored payload remains until the shortcode is removed or the plugin is upgraded. There is no publicly reported active exploitation activity indicated by KEV, but the moderate CVSS and the need for authenticated access make timely remediation advisable.

Generated by OpenCVE AI on May 8, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade E2Pdf to version 1.32.18 or newer to eliminate the stored XSS flaw.
  • If an upgrade cannot be performed immediately, restrict or remove the e2pdf-download shortcode from posts created by Contributor-level users, or block Contributors from editing pages that contain the shortcode.
  • Implement a web‑application firewall rule to block suspicious script payloads in the id attribute of the e2pdf-download shortcode.

Generated by OpenCVE AI on May 8, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-08T12:45:42.968Z

Reserved: 2026-05-01T17:36:28.721Z

Link: CVE-2026-7650

cve-icon Vulnrichment

Updated: 2026-05-08T12:45:38.810Z

cve-icon NVD

Status : Received

Published: 2026-05-08T10:16:29.577

Modified: 2026-05-08T10:16:29.577

Link: CVE-2026-7650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T11:30:07Z

Weaknesses