The Pdfcrowd Save as PDF plugin suffers from a CWE-862 Missing Authorization vulnerability that permits stored XSS attacks. This occurs because the plugin does not properly enforce authorization controls, allowing malicious input to be stored and later executed in users' browsers. The issue affects all versions up to 3.2.0. The CVSS 3.1 vector indicates network attack vector, low attack complexity, requiring low privileges and user interaction, with impacts on confidentiality, integrity, and availability rated as low to low and low respectively. No patch or official fix has been published yet.

Successful exploitation could allow an attacker with low privileges to inject malicious scripts that are stored and executed in the context of other users, potentially leading to information disclosure, integrity modification, or denial of service. The impact is rated medium severity based on the CVSS score of 6.5. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the plugin or implementing additional authorization checks at the application level to prevent unauthorized input storage. Monitoring for unusual activity related to the plugin is advisable.