Skip to main content

e2pdf WordPress Plugin CVE-2026-42681

| EUVDEUVD-2026-33656 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 audit@patchstack.com GHSA-3v6w-rf9f-2qhg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf.Com e2pdf allows Reflected XSS.

This issue affects e2pdf: from n/a through 1.32.14.

AnalysisAI

Reflected cross-site scripting in the e2pdf WordPress plugin (versions up to and including 1.32.14) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The flaw stems from improper neutralization of user input during web page generation (CWE-79) and carries a CVSS 3.1 score of 7.1 with a scope change. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

e2pdf (by E2Pdf.Com) is a WordPress plugin that generates PDF documents from WordPress posts, pages, and form data. The vulnerability is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) reflected XSS, meaning user-supplied input is returned in an HTTP response without proper output encoding or sanitization, enabling the browser to interpret attacker-controlled data as executable script. The CVSS scope change (S:C) suggests the injected script can affect resources beyond the vulnerable component - typical for XSS where script executes in the browser security context of the WordPress site and can reach other origins, cookies, or admin functionality. The Patchstack advisory (the sole reference) categorizes this within the WordPress plugin ecosystem.

RemediationAI

No vendor-released patch version was identified in the provided input data - the Patchstack advisory references version 1.32.14 as the last known vulnerable release but no fixed version is cited. Site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/e2pdf/vulnerability/wordpress-e2pdf-plugin-1-32-14-reflected-cross-site-scripting-xss-vulnerability for an updated fix version and upgrade as soon as one is published. As compensating controls until a patch is available, administrators can deactivate the e2pdf plugin (side effect: PDF generation functionality is lost), deploy a web application firewall rule that blocks script-like payloads on e2pdf endpoints (side effect: may false-positive on legitimate document content), or enforce a strict Content-Security-Policy header that disallows inline scripts on WordPress admin pages (side effect: may break other plugins that rely on inline JavaScript).

Share

CVE-2026-42681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy