Attack Vectors

CVE-2025-31850 is a Medium severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4) affecting the PDF Generator for WordPress Elementor plugin (slug: pdf-generator-addon-for-elementor-page-builder) in versions up to and including 2.1.0.

The key risk driver is that the attack requires an authenticated WordPress user with Contributor-level access or higher. In practical terms, this can include internal staff, agencies, contractors, or any account that has been created for content collaboration. An attacker in that position can inject malicious scripts into affected content, and those scripts can run when someone later views the injected page—without the viewer needing to click anything.

Because this is “stored” XSS, the payload persists until removed, which increases business exposure: the same injected page can repeatedly affect marketing teams, executives, or site visitors who access it during normal operations.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping within the plugin. That means untrusted content can be saved in a way that later renders in the browser as active script instead of safe text.

For marketing and business leadership, the takeaway is straightforward: the issue is not about “hackers breaking in” through a firewall—it’s about unsafe handling of content inside the website. If a Contributor+ account is abused (or a trusted user makes a mistake with copied content), the site can unintentionally deliver malicious behavior to anyone viewing the affected page.

Remediation is available: update to version 2.2.0 or newer of the plugin to address CVE-2025-31850.

Technical or Business Impacts

Stored XSS can create real business risk even at Medium severity. Depending on where the injected content appears, impacts may include session hijacking (attacker takes over a logged-in user’s session), unauthorized actions performed in a user’s browser, or content and brand manipulation that changes what visitors see without obvious signs.

From a leadership perspective, the most likely consequences are operational and reputational: compromised admin or editor accounts can lead to rapid site changes, misleading calls-to-action, altered tracking tags, or unauthorized redirects that undermine campaign performance and trust. Compliance teams should also consider whether this could expose limited user data (the CVSS vector indicates low confidentiality and integrity impact) and whether incident response or notification obligations apply based on what content was affected and who may have viewed it.

Similar Attacks: Stored XSS is a common technique used in real-world compromises. Examples include the British Airways web skimming incident (often referred to as “Magecart”), where injected scripts captured payment details (BleepingComputer report), and Ticketmaster’s Magecart-related incident involving script-based data theft (BBC coverage).

Recommended action: if you use PDF Generator for WordPress Elementor and your installed version is 2.1.0 or lower, prioritize updating to 2.2.0+ and review Contributor+ accounts (including third parties) to ensure access is still necessary. For reference, the CVE record is available here: https://www.cve.org/CVERecord?id=CVE-2025-31850.