CVE-2026-7650
Description
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the e2pdf-download shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in E2Pdf plugin through unescaped shortcode attribute allows Contributor+ users to inject scripts.
Vulnerability
Overview The E2Pdf – Export Pdf Tool for WordPress plugin (versions up to and including 1.32.17) contains a Stored Cross-Site Scripting (XSS) vulnerability. It stems from insufficient sanitization and output escaping of the id attribute in the [e2pdf-download] shortcode [1]. When a user creates a page or post using this shortcode, the unsanitized attribute can be used to inject arbitrary JavaScript.
Exploitation
Conditions Exploitation requires an authenticated attacker with at least Contributor-level permissions, which allows them to create and publish content. The attacker can add a malicious [e2pdf-download id=""><script>alert('XSS')</script>"] shortcode in a page or post. Any user (including administrators) who views the affected page will execute the injected script in their browser [1]. The attack does not require any special network access beyond standard WordPress usage.
Impact
Successful exploitation results in full stored XSS execution. An attacker can steal session cookies, perform actions on behalf of the victim, deface pages, or redirect users to malicious sites. Since the script executes in the context of the WordPress admin area for logged-in users, privilege escalation to administrator is possible by forging requests (CSRF chaining) [1].
Mitigation
The vendor has not yet released a patched version as of the CVE publication date (2026-05-08). Users should restrict Contributor and higher roles to trusted users, remove the shortcode from untrusted content, or apply a web application firewall rule to block malicious id values until an update is available [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Package: https://wordpress.org/plugins/e2pdf
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.00/classes/model/e2pdf-shortcode.phpnvd
- plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.18/classes/model/e2pdf-shortcode.phpnvd
- plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/model/e2pdf-shortcode.phpnvd
- plugins.trac.wordpress.org/changeset/3522046/e2pdf/trunk/classes/model/e2pdf-shortcode.phpnvd
- wordpress.org/plugins/e2pdfnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/36310ab1-f84e-4154-b782-51254c476d79nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026