CVE-2025-8397

The Save as PDF Button plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability in versions up to and including 1.9.2. The flaw exists in the restpackpdfbutton shortcode, where user-supplied attributes are not properly sanitized or escaped before being output [1]. This oversight enables attackers to inject arbitrary web scripts into pages.

Exploitation requires an authenticated user with at least contributor-level access. The attacker can embed a malicious shortcode attribute (e.g., button_text) containing JavaScript, which will be stored and executed whenever a victim views the affected page.

Successful injection leads to arbitrary script execution in the context of the victim's browser, potentially allowing session hijacking, defacement, or redirection to malicious sites.

The plugin has been closed as of September 10, 2025, due to this security issue and is not available for download [2]. No patched version exists; users should remove the plugin immediately.