How is CVE-2026-42681 exploited?

Network reachability (required): The attacker must be able to reach the target WordPress site over the network to deliver a crafted URL containing the malicious payload. Authentication (not-required): No account or credentials are needed; the attacker crafts a link and delivers it to a victim without authenticating to the application. Victim interaction (required): A victim (typically a logged-in WordPress user) must click the attacker-supplied link for the reflected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

What is the impact of CVE-2026-42681?

Reads browser-accessible session cookies and authentication tokens belonging to the victim, enabling session hijacking. Reads page content visible to the victim, which may include sensitive WordPress admin data or user-submitted information. Modifies the page as rendered in the victim's browser, allowing the attacker to inject fake forms or redirect the victim to other sites. Triggers authenticated WordPress actions on behalf of the victim, such as creating or deleting content, within the victim's permission level.

Back to search

HIGHCVE-2026-42681Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42681: WordPress e2pdf plugin <= 1.32.14 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42681?

Reflected cross-site scripting (XSS) in the WordPress e2pdf plugin (versions up to and including 1.32.14) allows an unauthenticated remote attacker to inject malicious JavaScript into pages served to victims. Exploitation requires tricking a logged-in user into clicking a crafted link, after which the script runs in the victim's browser session with access to cookies, page content, and the ability to perform actions on the victim's behalf. Successful exploitation enables limited data disclosure, content tampering, and minor service disruption within the victim's browser context. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-42681 patched?

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the e2pdf maintainers ship a remediated release.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf.Com e2pdf allows Reflected XSS. This issue affects e2pdf: from n/a through 1.32.14.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in the WordPress e2pdf plugin (versions up to and including 1.32.14) allows an unauthenticated remote attacker to inject malicious JavaScript into pages served to victims. Exploitation requires tricking a logged-in user into clicking a crafted link, after which the script runs in the victim's browser session with access to cookies, page content, and the ability to perform actions on the victim's behalf. Successful exploitation enables limited data disclosure, content tampering, and minor service disruption within the victim's browser context. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-42681 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including the Patchstack advisory within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the e2pdf plugin. Any image containing e2pdf at or below version 1.32.14 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and can weight that score against each environment's compliance policy to adjust urgency and routing. Triage tickets are routable to the appropriate team inbox within each customer org based on registry ownership and policy configuration.

Available

Patch

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the e2pdf maintainers ship a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the target WordPress site over the network to deliver a crafted URL containing the malicious payload.
AuthenticationNot required
No account or credentials are needed; the attacker crafts a link and delivers it to a victim without authenticating to the application.
Victim interactionRequired
A victim (typically a logged-in WordPress user) must click the attacker-supplied link for the reflected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

Blast Radius

Reads browser-accessible session cookies and authentication tokens belonging to the victim, enabling session hijacking.
Reads page content visible to the victim, which may include sensitive WordPress admin data or user-submitted information.
Modifies the page as rendered in the victim's browser, allowing the attacker to inject fake forms or redirect the victim to other sites.
Triggers authenticated WordPress actions on behalf of the victim, such as creating or deleting content, within the victim's permission level.

How HarborGuard Handles This

Available on HarborGuard: images containing e2pdf at or below version 1.32.14 are flagged as soon as the CVE is matched during the ingest cycle. Because no upstream fix has been published yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point. In the interim, compensating controls worth considering include web application firewall rules that strip or encode reflected query parameters on e2pdf-related endpoints, network-policy isolation that limits which users can reach the WordPress admin surface, and disabling the e2pdf plugin where its functionality is non-essential until a patch is available.

See how HarborGuard automates this

Affected packages

E2Pdf.com / e2pdf
≤ 1.32.14

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified