CVE-2026-7650
Stored XSS in E2Pdf WordPress Plugin
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| e2pdf | e2pdf | to 1.32.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject malicious scripts into WordPress pages.
When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to theft of user credentials, session hijacking, or unauthorized actions performed on behalf of the user.
Because the attack is stored, the malicious code persists on the site until removed, increasing the risk and impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting vulnerability in the E2Pdf WordPress plugin, you should immediately update the plugin to a version later than 1.32.17 where the issue is fixed.
Additionally, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at that level.
Consider temporarily disabling the E2Pdf plugin if an update is not immediately available or feasible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the E2Pdf WordPress plugin allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via Stored Cross-Site Scripting (XSS). This can lead to unauthorized script execution when users access the injected pages.
Such a vulnerability can potentially impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or exposure of sensitive personal or health information through malicious scripts. Stored XSS can be exploited to steal user credentials, session tokens, or other sensitive data, thereby violating data protection requirements.
However, the provided information does not explicitly detail the direct compliance impact or specific regulatory consequences of this vulnerability.
Can you explain this vulnerability to me?
The E2Pdf β Export Pdf Tool for WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'id' attribute of the e2pdf-download shortcode in all versions up to and including 1.32.17.
This vulnerability arises because the plugin does not properly sanitize or escape input provided in the 'id' attribute, allowing authenticated users with Contributor-level access or higher to inject malicious scripts.
These injected scripts execute whenever any user accesses a page containing the malicious shortcode, potentially compromising user sessions or data.