E2Pdf – Export Pdf Tool for WordPress <= 1.32.14 - Reflected Cross-Site Scripting
Description
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.32.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.32.15
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-42681 (E2Pdf Reflected XSS) ## 1. Vulnerability Summary The **E2Pdf – Export Pdf Tool for WordPress** plugin (versions <= 1.32.14) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to properly sanitiz…
Show full research plan
Exploitation Research Plan - CVE-2026-42681 (E2Pdf Reflected XSS)
1. Vulnerability Summary
The E2Pdf – Export Pdf Tool for WordPress plugin (versions <= 1.32.14) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to properly sanitize and escape user-supplied input before reflecting it back onto the page. Specifically, parameters used in the administration dashboard (such as s for search or status in the templates list) are reflected in the response. Since the plugin is designed to handle unauthenticated "View" or "Download" requests in some configurations, and admin pages reflect these parameters, an attacker can craft a malicious URL to execute arbitrary JavaScript in the context of a victim's browser (typically an administrator).
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin.php - Page:
e2pdf-templates(and potentiallye2pdf-settingsore2pdf-export) - Vulnerable Parameters:
s(Search),status,orderby,order. - Authentication: Unauthenticated (Attacker), Administrator (Victim).
- Preconditions: An administrator must be logged in and must click a malicious link generated by the attacker.
- Payload Type: Reflected XSS via GET parameter.
3. Code Flow
The vulnerability originates
Summary
The E2Pdf plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.32.14. This vulnerability exists because the plugin fails to properly sanitize and escape administrative parameters such as 's', 'status', 'orderby', and 'order' before reflecting them in the administration dashboard, allowing attackers to execute arbitrary JavaScript in the context of an administrator's browser session.
Vulnerable Code
/* classes/controller/e2pdf-templates.php line 33 */ if ($this->post->get('s')) { $location = $this->helper->get_url( array( 'page' => 'e2pdf-templates', 'status' => $this->get->get('status'), 'orderby' => $this->get->get('orderby'), 'order' => $this->get->get('order'), 's' => $this->post->get('s'), ) ); } else { $location = $this->helper->get_url( array( 'page' => 'e2pdf-templates', 'status' => $this->get->get('status'), 'orderby' => $this->get->get('orderby'), 'order' => $this->get->get('order'), ) ); }
Security Fix
@@ -1324,21 +1324,21 @@ if ($extension->method('merged_items')) { $select = new stdClass(); $select->id = '-2'; - $select->url = 'javascript:void(0);'; + $select->url = ''; $select->name = __('Merged Connections', 'e2pdf'); array_unshift($content, $select); } if ($extension->method('auto_form')) { $select = new stdClass(); $select->id = '-1'; - $select->url = 'javascript:void(0);'; + $select->url = ''; $select->name = __('Auto Form from PDF', 'e2pdf'); array_unshift($content, $select); } } $select = new stdClass(); $select->id = ''; - $select->url = 'javascript:void(0);'; + $select->url = ''; $select->name = __('--- Select ---', 'e2pdf'); array_unshift($content, $select); $response = array(
Exploit Outline
To exploit this vulnerability, an attacker identifies the 'e2pdf-templates' admin page at 'wp-admin/admin.php?page=e2pdf-templates'. A malicious URL is crafted by appending a JavaScript payload to one of the vulnerable parameters, for example: 'wp-admin/admin.php?page=e2pdf-templates&s="><script>alert(origin)</script>'. The attacker then social engineers an authenticated administrator into clicking the link. When the page loads, the plugin reflects the malicious input in the administrative interface without proper output escaping, leading to the execution of the injected script in the context of the administrator's session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.