Embed PDF <= 1.0.6 - Contributor+ Stored XSS via Shortcode
Description
The Embed PDF WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Embed PDF WordPress plugin through 1.0.6 allows contributor+ users to inject arbitrary JavaScript via shortcode attributes.
Vulnerability
The Embed PDF WordPress plugin through version 1.0.6 fails to validate and escape shortcode attributes before outputting them in a page or post where the shortcode is embedded. This vulnerability enables stored cross-site scripting (XSS) attacks [1].
Exploitation
An attacker with at least the contributor role can inject malicious JavaScript into unsanitized shortcode attributes. When an administrator or other user views the affected page or post, the injected script executes in their browser [1].
Impact
Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing cookies, session tokens, or redirecting to malicious sites, leading to full compromise of the victim's WordPress session [1].
Mitigation
As of publication, no fix is available; the vendor has not released a patched version. Users should deactivate and remove the plugin until a security update is provided [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/2a162365-5a86-423d-b7c4-55c9b4d8b024mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.