WordPress Plugin Vulnerabilities

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

Description

PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can successfully trick a user into opening a crafted PDF file.

Affects Plugins

Plugin icon
pdfjs-viewer-shortcode
Fixed in 2.2
Plugin icon
pdf-viewer-for-elementor
No known fix
Plugin icon
pdf-embedder
Fixed in 4.8.0
Plugin icon
pdf-poster
Fixed in 2.1.22

References

CVE
CVE-2024-4367
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ce7aa01-7e79-4048-a84d-fcb9541d5f8b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Colin Xu, James Myers (ConfidenceRemainsHigh), Codean Labs
Verified
No
WPVDB ID
6d8281fa-1240-4d71-97e4-bdc59511c6b3

Timeline

Publicly Published
2024-05-20 (about 1 year ago)
Added
2024-06-03 (about 1 year ago)
Last Updated
2024-07-19 (about 1 year ago)

Other

Published
Title
Published
2025-04-10
Title
Z Companion < 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2015-06-18
Title
Salem Theme < 1.5.6 - PrettyPhoto DOM Cross-Site Scripting (XSS)
Published
2024-09-16
Title
Geo Mashup < 1.13.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-28
Title
Expert Invoice <= 1.0.2 -Admin+ Stored XSS
Published
2024-08-13
Title
Maspik - Advanced Spam protection < 2.1.3 - Admin+ Stored XSS