CVE-2024-9451

Vulnerability

Overview

The Embed PDF Viewer plugin for WordPress, in all versions up to and including 2.4.4, is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability stems from insufficient input sanitization and output escaping on the 'height' and 'width' parameters used in the plugin's shortcode or block. This allows authenticated attackers to inject arbitrary web scripts that become stored and executed whenever a user accesses the affected page.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have at least Contributor-level access to a WordPress site. The attacker can craft a post or page containing the Embed PDF Viewer block or shortcode with malicious JavaScript payloads embedded in the 'height' or 'width' attributes. When an administrator or other user views the injected page, the script executes in their browser within the context of the site.

Impact

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing other actions that the victim user can do. The injected script runs in the context of the victim's session, potentially leading to full site compromise if an administrator views the page.

Mitigation

As of the publication date, a patched version has not been released. Users are advised to either update the plugin once a fix is available or consider disabling the plugin until a security update is issued. The plugin is open source and maintained on GitHub, so contributors may address the issue in a future release. [1]