CVE-2026-9738 in Print PDF & Email by PrintFriendly Plugin
Summary
by MITRE • 07/11/2026
The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The Print Friendly plugin for WordPress represents a widely used tool that enables users to create printable versions of web pages including pdf generation and email functionality. This particular vulnerability affects all versions up to and including 5.5.10 where the plugin fails to properly sanitize user input. The specific flaw exists within the 'content_position_css' parameter which is processed without adequate sanitization measures or proper output escaping mechanisms. This security weakness allows authenticated attackers who possess administrator level privileges or higher to inject malicious scripts into the plugin's configuration parameters.
The technical nature of this vulnerability classifies as a stored cross-site scripting flaw that operates through the manipulation of input parameters within the WordPress admin interface. When administrators modify the print-friendly settings, particularly those related to content positioning through CSS properties, the system does not sufficiently validate or escape the user-supplied content before storing it in the database. This creates a persistent security risk where malicious scripts become permanently embedded within the plugin's stored configuration data. The vulnerability operates under CWE-79 which specifically addresses cross-site scripting flaws and aligns with ATT&CK technique T1203 for Exploitation for Execution.
The operational impact of this vulnerability is significant as it allows attackers to execute arbitrary web scripts on behalf of authenticated users who access pages containing the injected content. This means that any user with sufficient privileges to modify plugin settings can potentially compromise the entire WordPress installation through persistent script injection. The stored nature of the vulnerability ensures that the malicious payload remains active until manually removed from the configuration, creating an ongoing security threat for all users accessing affected pages. This particular attack vector is particularly dangerous because it requires only administrative access level and leverages legitimate plugin functionality to deliver malicious payloads.
Mitigation strategies should begin with immediate patching to version 5.5.11 or later which addresses this specific input sanitization weakness. Organizations should implement strict input validation controls that sanitize all user-supplied content before storage, particularly for CSS-related parameters that are processed through the plugin configuration interface. Network monitoring solutions should be enhanced to detect suspicious JavaScript payloads in web requests related to print-friendly functionality. Administrative users should be restricted to minimal necessary privileges and regular security audits of plugin configurations should be conducted. The principle of least privilege should be enforced where possible, limiting who can modify critical plugin settings that handle potentially malicious content through CSS parameter manipulation.