CVE-2026-42681

E2Pdf – Export Pdf Tool for WordPress <= 1.32.14 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.32.15
Patched in
9d
Time to patch

Description

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.32.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.32.14
PublishedMay 18, 2026
Last updatedMay 26, 2026
Affected plugine2pdf

What Changed in the Fix

Changes introduced in v1.32.15

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-42681 (E2Pdf Reflected XSS) ## 1. Vulnerability Summary The **E2Pdf – Export Pdf Tool for WordPress** plugin (versions <= 1.32.14) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to properly sanitiz…

Show full research plan

Exploitation Research Plan - CVE-2026-42681 (E2Pdf Reflected XSS)

1. Vulnerability Summary

The E2Pdf – Export Pdf Tool for WordPress plugin (versions <= 1.32.14) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to properly sanitize and escape user-supplied input before reflecting it back onto the page. Specifically, parameters used in the administration dashboard (such as s for search or status in the templates list) are reflected in the response. Since the plugin is designed to handle unauthenticated "View" or "Download" requests in some configurations, and admin pages reflect these parameters, an attacker can craft a malicious URL to execute arbitrary JavaScript in the context of a victim's browser (typically an administrator).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin.php
  • Page: e2pdf-templates (and potentially e2pdf-settings or e2pdf-export)
  • Vulnerable Parameters: s (Search), status, orderby, order.
  • Authentication: Unauthenticated (Attacker), Administrator (Victim).
  • Preconditions: An administrator must be logged in and must click a malicious link generated by the attacker.
  • Payload Type: Reflected XSS via GET parameter.

3. Code Flow

The vulnerability originates

Research Findings
Static analysis — not yet PoC-verified

Summary

The E2Pdf plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.32.14. This vulnerability exists because the plugin fails to properly sanitize and escape administrative parameters such as 's', 'status', 'orderby', and 'order' before reflecting them in the administration dashboard, allowing attackers to execute arbitrary JavaScript in the context of an administrator's browser session.

Vulnerable Code

/* classes/controller/e2pdf-templates.php line 33 */
if ($this->post->get('s')) {
    $location = $this->helper->get_url(
            array(
                'page' => 'e2pdf-templates',
                'status' => $this->get->get('status'),
                'orderby' => $this->get->get('orderby'),
                'order' => $this->get->get('order'),
                's' => $this->post->get('s'),
            )
    );
} else {
    $location = $this->helper->get_url(
            array(
                'page' => 'e2pdf-templates',
                'status' => $this->get->get('status'),
                'orderby' => $this->get->get('orderby'),
                'order' => $this->get->get('order'),
            )
    );
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/e2pdf/1.32.11/classes/controller/e2pdf-templates.php /home/deploy/wp-safety.org/data/plugin-versions/e2pdf/1.32.15/classes/controller/e2pdf-templates.php
--- /home/deploy/wp-safety.org/data/plugin-versions/e2pdf/1.32.11/classes/controller/e2pdf-templates.php	2026-04-01 11:18:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/e2pdf/1.32.15/classes/controller/e2pdf-templates.php	2026-04-22 12:52:22.000000000 +0000
@@ -1324,21 +1324,21 @@
                 if ($extension->method('merged_items')) {
                     $select = new stdClass();
                     $select->id = '-2';
-                    $select->url = 'javascript:void(0);';
+                    $select->url = '';
                     $select->name = __('Merged Connections', 'e2pdf');
                     array_unshift($content, $select);
                 }
                 if ($extension->method('auto_form')) {
                     $select = new stdClass();
                     $select->id = '-1';
-                    $select->url = 'javascript:void(0);';
+                    $select->url = '';
                     $select->name = __('Auto Form from PDF', 'e2pdf');
                     array_unshift($content, $select);
                 }
             }
             $select = new stdClass();
             $select->id = '';
-            $select->url = 'javascript:void(0);';
+            $select->url = '';
             $select->name = __('--- Select ---', 'e2pdf');
             array_unshift($content, $select);
             $response = array(

Exploit Outline

To exploit this vulnerability, an attacker identifies the 'e2pdf-templates' admin page at 'wp-admin/admin.php?page=e2pdf-templates'. A malicious URL is crafted by appending a JavaScript payload to one of the vulnerable parameters, for example: 'wp-admin/admin.php?page=e2pdf-templates&s="><script>alert(origin)</script>'. The attacker then social engineers an authenticated administrator into clicking the link. When the page loads, the plugin reflects the malicious input in the administrative interface without proper output escaping, leading to the execution of the injected script in the context of the administrator's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.