CVE-2025-28911 identifies a reflected Cross-site Scripting (XSS) vulnerability in the Gravity 2 PDF plugin (gravity2pdf), specifically affecting versions up to 3.1.3. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and reflected back to users. This reflected XSS flaw enables attackers to craft malicious URLs that, when visited by unsuspecting users, execute arbitrary JavaScript in the context of the victim's browser session. The plugin is commonly used within WordPress environments to generate PDFs from form data, making it a target for attackers seeking to compromise websites or their users. Exploitation does not require authentication, increasing the attack surface, and does not depend on user interaction beyond clicking a malicious link. Although no known exploits have been reported in the wild, the vulnerability poses significant risks including session hijacking, theft of sensitive information, and unauthorized actions performed with the victim's privileges. The absence of a CVSS score necessitates an assessment based on the vulnerability's characteristics, which indicate a high severity due to the ease of exploitation and potential impact on confidentiality and integrity. The vulnerability affects all installations of Gravity 2 PDF up to version 3.1.3, and users are advised to monitor for patches or apply mitigations promptly.

The primary impact of CVE-2025-28911 is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. Attackers can hijack user sessions, steal cookies, credentials, or other sensitive data, and perform unauthorized actions on behalf of users, potentially leading to account takeover or data breaches. For organizations, this can result in reputational damage, loss of customer trust, and regulatory penalties if sensitive data is exposed. The vulnerability affects websites using the Gravity 2 PDF plugin, which is integrated into WordPress sites that generate PDFs from form data. Given WordPress's widespread use globally, the scope of affected systems is substantial. The ease of exploitation without authentication and minimal user interaction increases the likelihood of successful attacks, especially through phishing or social engineering campaigns. While availability is less directly impacted, the integrity and confidentiality risks are significant, making this a critical concern for organizations relying on this plugin for document generation.

1. Immediate mitigation involves applying any official patches or updates released by the Gravity 2 PDF plugin developers once available. 2. Until patches are released, implement Web Application Firewall (WAF) rules to detect and block malicious input patterns commonly used in reflected XSS attacks targeting the plugin. 3. Employ strict input validation and output encoding on all user-supplied data processed by the plugin to neutralize potentially malicious scripts. 4. Educate users and administrators about the risks of clicking untrusted links, especially those that may appear to originate from legitimate sites using the plugin. 5. Monitor web server logs and application logs for unusual URL requests or suspicious query parameters that may indicate attempted exploitation. 6. Consider disabling or limiting the use of the Gravity 2 PDF plugin if it is not essential, or isolate it in a controlled environment with minimal user privileges. 7. Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including XSS, to identify and remediate similar issues proactively.