The WordPress PDF.js Shortcode plugin allows users to embed PDF files via a shortcode. The plugin does not adequately neutralize the content provided in the shortcode, leading to a stored cross‑site scripting (XSS) vulnerability (CWE‑79). An attacker can craft malicious input that will be rendered as part of a web page, enabling code execution within the browsers of any visitor who views a page containing the affected shortcode. The impact is the potential compromise of confidentiality and integrity of site visitors through client‑side attacks.

The vulnerability exists in the aruvi PDF.js Shortcode plugin for WordPress. Any installation of the plugin through version 1.0, including that exact release, is affected.

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score of less than 1 % suggests a very low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Based on the description, it is inferred that the attack vector requires insertion of malicious content into the shortcode input, typically via the WordPress content editor or other authorized interface, and that successful exploitation would result in client‑side script execution on any page that renders the affected shortcode.