CVE-2026-4073

Name of the Vulnerable Software and Affected Versions pdfl.io plugin for WordPress versions up to and including 1.0.5

Description The pdfl.io plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'pdflio' shortcode. This occurs because of inadequate input sanitization and output escaping on the text shortcode attribute. The output shortcode() function directly appends the user-provided text variable to HTML output without using esc html() or any other escaping function. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user visits the affected page.

Recommendations For versions up to and including 1.0.5, ensure proper input sanitization and output escaping are applied to the text attribute within the output shortcode() function. Implement esc html() or a similar function to prevent the injection of malicious scripts.