CVE-2026-0862 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Save as PDF Plugin by PDFCrowd for WordPress, present in all versions up to and including 4.5.5. The root cause is insufficient input sanitization and output escaping of the 'options' parameter used during web page generation. This flaw allows unauthenticated attackers to craft malicious URLs containing JavaScript payloads that, when clicked by a victim, execute within the victim's browser context. The vulnerability is contingent on the PDFCrowd API key being blank or known, which corresponds to the plugin's default 'demo mode' configuration upon installation. This condition significantly lowers the barrier to exploitation, as no authentication is required. The reflected XSS can lead to theft of user credentials, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The CVSS 3.1 base score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed due to the potential impact on other components via script execution. No patches or known exploits have been reported yet, but the vulnerability poses a tangible risk to WordPress sites using this plugin without proper configuration. The vulnerability falls under CWE-79, a common and well-understood category of input validation errors leading to XSS.

The primary impact of CVE-2026-0862 is on the confidentiality and integrity of users interacting with vulnerable WordPress sites using the Save as PDF Plugin by PDFCrowd. Attackers can execute arbitrary scripts in the context of the victim's browser, potentially stealing cookies, session tokens, or other sensitive data, leading to account compromise or unauthorized actions. Since the attack requires user interaction (clicking a malicious link), phishing campaigns can be an effective exploitation vector. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user trust for affected organizations. Sites running the plugin with default or exposed API keys are at higher risk, as the vulnerability cannot be exploited otherwise. Given WordPress's widespread use and the plugin's functionality, organizations worldwide that rely on this plugin for PDF generation are vulnerable, especially if security best practices are not followed. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

To mitigate CVE-2026-0862, organizations should first ensure that the PDFCrowd API key is set to a secure, non-default value immediately after plugin installation, eliminating the 'demo mode' condition required for exploitation. Administrators should verify that the plugin is updated to the latest version once a patch is released; until then, consider disabling the plugin if it is not essential. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'options' parameter can reduce risk. Site owners should also educate users about phishing risks and avoid clicking on untrusted links. For developers or administrators with access, applying manual input validation and output encoding for parameters used in page generation can provide interim protection. Regular security audits and monitoring for unusual activity related to the plugin are recommended. Finally, consider alternative PDF generation plugins with a stronger security track record if timely patching is not feasible.