This vulnerability is a Server‑Side Request Forgery (SSRF) that allows an attacker to make the Embed PDF Viewer plugin fetch arbitrary resources from the host system. The flaw stems from the plugin accepting a user‑supplied PDF URL without adequate validation, enabling requests to internal or external services. Successful exploitation could lead to data exfiltration, bypassing network perimeter defenses, or using the affected server as a proxy for further attacks. The weakness is identified as CWE‑918.

The affected product is the WordPress Embed PDF Viewer plugin developed by Andy Fragen. All installations running any version up to and including 2.4.7 are vulnerable. No additional edition or configuration requirements are listed.

The CVSS base score of 4.9 indicates moderate severity, and the EPSS score of less than 1% denotes a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to involve submitting a crafted PDF URL through the plugin’s interface or sending a specially crafted request to the plugin endpoint, typically requiring a user session with upload or plugin management permissions. While the exploit does not provide immediate remote code execution, it can expose internal network resources and serve as a stepping stone for more dangerous attacks.