pdf.js < 2.0.943 – Authenticated (Author+) Stored Cross-Site Scripting | CVE 2018-5158 | Plugin Vulnerabilities

Description

The Algori PDF Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to the use of a vulnerable version of pdf.js in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

algori-pdf-viewer

Fixed in 1.0.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd66329-098e-4adf-b66f-d82a47720629

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Colin Xu

Verified

No

WPVDB ID

fbc01a00-e292-4747-8a79-82b539ec187e

Timeline

Publicly Published

2024-11-08 (about 1 year ago)

Added

2024-11-08 (about 1 year ago)

Last Updated

2024-11-08 (about 1 year ago)

Other

Published

Title

Published

2023-11-20

Title

wpForo Forum < 2.2.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-01-30

Title

Ticketmeo – Sell Tickets – Event Ticketing < 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-10-12

Title

BuddyPress Global Search <= 1.2.1 - Admin+ Stored XSS

Published

2025-02-21

Title

Google Maps GPX Viewer <= 3.6 - Reflected Cross-Site Scripting

Published

2026-01-11

Title

Penci Recipe <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting