Reflected Cross-Site Scripting Vulnerability in PDFCrowd Plugin for WordPress
CVE-2026-0862

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
Save As PDF Plugin By PDFcrowd
Vendor
CVE Published:
24 January 2026

What is CVE-2026-0862?

The Save as PDF Plugin by PDFCrowd for WordPress suffers from a reflected cross-site scripting vulnerability due to inadequate input sanitization and output escaping in the 'options' parameter. This flaw enables attackers to execute arbitrary web scripts on pages viewed by users if they manipulate victims into clicking specially crafted links. Particularly risky under default settings where the PDFCrowd API key is left blank (demo mode), this vulnerability poses significant security concerns for WordPress sites running affected plugin versions up to and including 4.5.5.

Affected Version(s)

Save as PDF Plugin by PDFCrowd 0 <= 4.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3438577/save...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Hydzik
.