WordPress Plugin Vulnerabilities

Wonder PDF Embed < 1.7 - Contributor+ Stored XSS

Description

The plugin does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

Proof of Concept

Affects Plugins

Plugin icon
wonderplugin-pdf-embed
Fixed in 1.7

References

CVE
CVE-2021-24541

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
e6602369-87f4-4454-8298-89cc69f8375c

Timeline

Publicly Published
2021-07-19 (about 4 years ago)
Added
2021-07-19 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-03-31
Title
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-13
Title
Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-02-18
Title
Wonder Video Embed < 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-05-01
Title
3D FlipBook < 1.15.5 - Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
Published
2025-07-03
Title
Smart Docs < 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting