The E2Pdf – Export Pdf Tool for WordPress plugin suffers from a stored cross-site scripting vulnerability due to improper neutralization of input in the 'id' attribute of the e2pdf-download shortcode. This allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. The vulnerability exists in all versions up to 1.32.17 because the plugin does not properly sanitize or escape this shortcode attribute before rendering it in the page output. Exploitation could lead to script execution in the context of users viewing the compromised pages, potentially impacting confidentiality and integrity. The CVSS 3.1 base score is 6.4 (medium), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity.

An attacker with Contributor-level or higher privileges can inject malicious scripts into WordPress pages using the vulnerable shortcode attribute. These scripts execute in the browsers of users who view the infected pages, potentially allowing theft of session cookies, defacement, or other client-side attacks. The vulnerability does not impact availability. There are no known public exploits currently. The impact is limited to sites using the affected plugin versions and where attackers have sufficient privileges to post content.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only. Consider removing or disabling the vulnerable shortcode if possible. Monitor plugin updates from the vendor and apply any official patches promptly once available.