Wonder PDF Embed < 1.7 - Contributor+ Stored XSS
Description
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Wonder PDF Embeddescription
- Range: <1.7
Patches
Vulnerability mechanics
Root cause
"Missing output escaping of shortcode parameters in the wonderplugin_pdf shortcode allows stored XSS."
Attack vector
An attacker with a role as low as Contributor can inject arbitrary JavaScript into a WordPress post or page by supplying a malicious payload in a parameter of the `wonderplugin_pdf` shortcode [ref_id=1]. Because the plugin fails to escape shortcode parameters, the injected script is stored in the database and executed in the browser of any user viewing the affected content. This is a Stored Cross-Site Scripting (XSS) attack [CWE-79].
Affected code
The `wonderplugin_pdf` shortcode in the Wonder PDF Embed plugin does not escape its parameters. The advisory does not specify the exact file or function name, but the shortcode handler is the vulnerable code path.
What the fix does
The advisory states the vulnerability is fixed in version 1.7 of the Wonder PDF Embed plugin [ref_id=1]. The fix involves properly escaping the parameters of the `wonderplugin_pdf` shortcode before output, preventing injected HTML or JavaScript from being interpreted by the browser. No patch diff is provided in the bundle.
Preconditions
- authAttacker must have a WordPress user account with at least the Contributor role.
- configThe Wonder PDF Embed plugin must be installed and active with a version prior to 1.7.
- inputThe attacker must be able to create or edit posts/pages using the wonderplugin_pdf shortcode.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/e6602369-87f4-4454-8298-89cc69f8375cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.