CVE-2026-0862 is a reflected cross-site scripting vulnerability (CWE-79) in the Save as PDF Plugin by PDFCrowd for WordPress. The flaw exists in the 'options' parameter due to improper neutralization of input during web page generation, allowing injection of arbitrary web scripts. Successful exploitation depends on the PDFCrowd API key being blank or known, which is the default configuration upon installation (demo mode). The vulnerability affects all versions up to and including 4.5.5. The CVSS 3.1 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability.

An attacker can perform reflected cross-site scripting attacks by injecting malicious scripts via the 'options' parameter if the PDFCrowd API key is blank or known. This can lead to limited confidentiality and integrity impacts, such as theft of user session data or manipulation of web page content when a user is tricked into clicking a crafted link. There is no impact on availability. The vulnerability requires user interaction and no authentication, but the scope is changed, indicating potential impact beyond the vulnerable component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should ensure that the PDFCrowd API key is set to a secure, non-default value to prevent exploitation in demo mode. Avoid using the plugin with a blank or publicly known API key. Monitor vendor channels for updates or official fixes.