CVE-2024-29141
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PDF Embedder allows Stored XSS.This issue affects PDF Embedder: from n/a through 4.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in PDF Embedder plugin (≤4.6.4) allows attackers with contributor+ access to inject arbitrary JavaScript via PDF filenames.
Vulnerability
The PDF Embedder WordPress plugin versions from n/a through 4.6.4 suffer from Improper Neutralization of Input During Web Page Generation, leading to Stored Cross-Site Scripting (XSS). The vulnerability resides in how the plugin handles and displays PDF filenames or metadata when embedding PDFs into posts and pages; user-supplied input is not properly sanitized or escaped, allowing malicious scripts to be stored on the server. The affected versions include all releases up to and including 4.6.4 [1].
Exploitation
An attacker must have at least Contributor-level access to a WordPress installation (or a role that can upload PDF media files). The attacker uploads a PDF with a crafted filename containing JavaScript payload (e.g., .pdf). When the PDF is embedded via the plugin's shortcode or block, and a victim (such as an administrator or site visitor) views the post or page containing the embedded PDF, the injected script executes in the browser context of the site. No additional user interaction beyond viewing the page is required for the stored payload to fire [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as authentication cookies. The stored nature of the XSS means the malicious payload persists on the server and affects all users who view the compromised content, potentially granting the attacker escalated privileges within the WordPress admin dashboard [1].
Mitigation
The vulnerability has been fixed in version 5.0.0 of the PDF Embedder plugin, released on 2026-05-14 [1]. Users are strongly advised to update to version 5.0.0 or later immediately. For installations where updating is not immediately possible, site administrators should restrict upload capabilities to trusted users only and review any PDFs uploaded by contributors for suspicious filenames. No workaround that completely eliminates the risk has been disclosed; updating is the recommended mitigation [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.6.4+ 1 more
- (no CPE)range: <=4.6.4
- (no CPE)range: <=4.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.