Save as PDF Plugin by PDFCrowd < 4.5.6 – Reflected Cross-Site Scripting via options | CVE 2026-0862 | Plugin Vulnerabilities

Description

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known.

Affects Plugins

save-as-pdf-by-pdfcrowd

Fixed in 4.5.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

edb6f895-d68b-40d0-bd57-9a4fea33279e

Timeline

Publicly Published

2026-01-24 (about 2 months ago)

Added

2026-01-24 (about 2 months ago)

Last Updated

2026-01-24 (about 2 months ago)

Other

Published

Title

Published

2014-08-01

Title

Alpine PhotoTile For Instagram <= 1.2.6.5 - Cross-Site Scripting (XSS)

Published

2024-11-04

Title

Fabrica Synced Pattern Instances < 1.0.9 - Reflected Cross-Site Scripting

Published

2023-07-26

Title

Molongui < 4.6.20 - Reflected XSS

Published

2025-01-14

Title

turboSMTP < 4.7 - Reflected Cross-Site Scripting

Published

2023-10-12

Title

WP 5.6-6.3.1 - Reflected XSS via Application Password Requests