CVE-2025-31850

Vulnerability

The PDF Generator Addon for Elementor Page Builder plugin for WordPress, versions up to and including 2.1.0, suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during PDF generation. This allows unauthenticated or authenticated users to inject arbitrary web scripts that are stored and executed when the PDF is rendered.

Exploitation

An attacker can exploit this vulnerability by submitting malicious input (e.g., via comments, posts, or Elementor forms) that is processed by the plugin without proper sanitization. The injected script is stored within the generated PDF content and executed in the victim's browser when the PDF is viewed, requiring no special privileges beyond the ability to submit content to the site.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or theft of sensitive information displayed in the PDF. The attack scope is limited to users who view the generated PDF.

Mitigation

The vulnerability is fixed in version 2.2.0 of the plugin [1]. Users are strongly advised to update to this version or later. No other workarounds are provided in the available references.