CVE-2025-8397 is a stored cross-site scripting (XSS) vulnerability identified in the 'Save as PDF Button' WordPress plugin developed by restpack. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's shortcode 'restpackpdfbutton'. The flaw affects all versions up to and including 1.9.2. An attacker with contributor-level or higher privileges can exploit this vulnerability by injecting arbitrary JavaScript code into pages or posts via the shortcode attributes. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially allowing session hijacking, defacement, or unauthorized actions within the context of the victim's browser session. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation by authenticated users make it a significant risk for WordPress sites using this plugin. The vulnerability was published on November 13, 2025, with no patch currently available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of web content and user sessions on WordPress sites using the 'Save as PDF Button' plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, unauthorized actions, or data theft. This can damage organizational reputation, lead to data breaches involving personal or sensitive information, and disrupt trust in digital services. Given the widespread use of WordPress across Europe for corporate, governmental, and media websites, the vulnerability could affect a broad range of sectors including public administration, media, education, and e-commerce. The requirement for contributor-level access somewhat limits the attack surface but does not eliminate risk, especially in environments with many content editors or where account compromise is possible. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. The vulnerability's impact is heightened in organizations with high user interaction on WordPress sites and where the plugin is actively used to generate PDF content.

1. Monitor the vendor's announcements for an official patch and apply it immediately upon release. 2. Until a patch is available, restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. 3. Implement manual input validation and output escaping for shortcode attributes if possible, using WordPress security best practices and functions like esc_attr() and wp_kses(). 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs or script injections targeting the plugin. 5. Conduct regular security audits and scanning of WordPress sites to detect injected scripts or anomalous content. 6. Educate content contributors about the risks of inserting untrusted content and enforce strict content policies. 7. Consider temporarily disabling the 'Save as PDF Button' plugin if the risk is deemed unacceptable until a secure version is available. 8. Maintain up-to-date backups to enable recovery from potential defacement or compromise.