PDF.js < 4.2.67 – Arbitrary JavaScript Execution


Can you let me know if and when you’ll be addressing the vulnerability with your plugin’s embedded PDF.js script?

PDF.js < 4.2.67 – Arbitrary JavaScript Execution
PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can successfully trick a user into opening a crafted PDF file. Source: Wordfence



This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer