Does PDF Embedder have any unpatched vulnerabilities?

No. All known vulnerabilities in PDF Embedder have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PDF Embedder compatible with WordPress 6.9.4?

According to WordPress.org data, PDF Embedder 4.9.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is PDF Embedder compatible with PHP 7.2+?

PDF Embedder requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is PDF Embedder updated?

PDF Embedder was last updated on Dec 30, 2025. Frequent updates are generally a positive security signal.

What is PDF Embedder's security score?

PDF Embedder has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PDF Embedder Security & Risk Analysis

wordpress.org/plugins/pdf-embedder

Seamlessly embed PDFs into your content, with customizations and intelligent responsive resizing, and no third-party services or iframes.

300K active installs v4.9.3 PHP 7.2+ WP 6.1+ Updated Dec 30, 2025

blockembed-pdfpdfpdf-documentpdf-viewer

A · Safe

CVEs total1

Unpatched0

Last CVEMar 18, 2024

Plugin page Download

Safety Verdict

Is PDF Embedder Safe to Use in 2026?

Generally Safe

Score 100/100

PDF Embedder has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 18, 2024Updated 3mo ago

Risk Assessment

The PDF Embedder plugin version 4.9.3 demonstrates a generally strong security posture with several positive attributes. The complete absence of critical or high-severity taint flows is a significant strength, indicating that user-supplied data is largely handled safely. Furthermore, the plugin exclusively uses prepared statements for its SQL queries and boasts a high percentage of properly escaped output, mitigating common web application vulnerabilities. The presence of nonce and capability checks on many of its entry points also suggests a good level of defensive coding.

However, the presence of two AJAX handlers without authentication checks represents a notable concern. These unprotected entry points could potentially be exploited by unauthenticated users to trigger unintended actions or access sensitive information, depending on the functionality they expose. The plugin's vulnerability history, while showing no currently unpatched vulnerabilities, does include a past medium-severity Cross-Site Scripting (XSS) vulnerability. This pattern suggests that while the developers are responsive to fixing issues, there's a historical susceptibility to input sanitization weaknesses.

In conclusion, PDF Embedder v4.9.3 is a plugin with good fundamental security practices in place, particularly concerning SQL injection and output sanitization. The primary weakness lies in the two unauthenticated AJAX endpoints, which present a direct attack vector. The past XSS vulnerability serves as a reminder to remain vigilant about input validation. While not critically flawed, the unauthenticated AJAX handlers warrant attention and potential remediation to fully secure the plugin.

Key Concerns

Unprotected AJAX handlers
Past medium severity XSS vulnerability

Vulnerabilities

PDF Embedder Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-29141medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PDF Embedder <= 4.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 18, 2024 Patched in 4.7.1 (5d)

Code Analysis

Analyzed Mar 16, 2026

PDF Embedder Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

135 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared5 total queries

Output Escaping

94% escaped143 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

network_save_settings (src\Admin\Admin.php:597)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

PDF Embedder Attack Surface

Entry Points8

Unprotected2

AJAX Handlers 8

authwp_ajax_pdfemb_admin_settings_getstarted_dismisssrc\Admin\Education\GetStarted.php:30

authwp_ajax_pdfemb_admin_settings_getstarted_opensrc\Admin\Education\GetStarted.php:31

authwp_ajax_pdfemb_admin_settings_topbar_upgradesrc\Admin\Education\SettingsTopBar.php:37

authwp_ajax_pdfemb_partners_installsrc\Admin\Partners.php:23

authwp_ajax_pdfemb_partners_activatesrc\Admin\Partners.php:24

authwp_ajax_pdfemb_partners_deactivatesrc\Admin\Partners.php:25

authwp_ajax_wppdf_dismiss_reviewsrc\Admin\WPorgReview.php:29

authwp_ajax_wppdf_defer_reviewsrc\Admin\WPorgReview.php:30

WordPress Hooks 22

actionplugins_loadedpdf_embedder.php:80

actionplugins_loadedpdf_embedder.php:112

actionadmin_noticesrequirements.php:8

filtermedia_send_to_editorsrc\Admin\Admin.php:64

filteradmin_footer_textsrc\Admin\Admin.php:67

filterupdate_footersrc\Admin\Admin.php:68

actionadmin_print_scriptssrc\Admin\Admin.php:70

actionpdfemb_admin_settings_extrasrc\Admin\Admin.php:76

actionpdfemb_admin_settings_extrasrc\Admin\Education\DemoContent.php:26

actionpdfemb_admin_settings_beforesrc\Admin\Education\SettingsTopBar.php:36

filterattachment_fields_to_editsrc\Admin\MediaLibrary.php:30

actionadd_meta_boxes_attachmentsrc\Admin\MediaLibrary.php:31

filterupload_mimessrc\Admin\MediaLibrary.php:39

filterpost_mime_typessrc\Admin\MediaLibrary.php:41

actionadmin_noticessrc\Admin\WPorgReview.php:28

actioninitsrc\Plugin.php:80

actioninitsrc\Plugin.php:82

filterpdfemb_options_validatedsrc\Plugin.php:90

actionadmin_initsrc\Plugin.php:92

actionenqueue_block_assetssrc\Plugin.php:129

actionwp_enqueue_scriptssrc\Plugin.php:131

actionadmin_menusrc\Tasks\Tasks.php:40

Maintenance & Trust

PDF Embedder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 30, 2025

PHP min version7.2

Downloads5.0M

Community Trust

Rating94/100

Number of ratings477

Active installs300K

Alternatives

PDF Embedder Alternatives

PDF Poster – Display PDF Files with Custom Viewer

pdf-poster

100

PDF Poster lets you embed PDF files in WordPress using a responsive viewer and block support, including full-screen, download, and print options.

20K 1 CVE

Pdf Embed

pdf-embed

100

PDF embedder with official Adobe Embed API.

10K No CVEs

Algori PDF Viewer

algori-pdf-viewer

Algori PDF Viewer is a Gutenberg Block Plugin that enables you to easily display PDF documents directly on your website.

7K 1 CVE

PDF Embed Block – Embed PDF Files in Posts or Pages

pdf-embed-block

100

Easily embed PDF files in your WordPress posts and pages with the PDF Embed Block plugin.

3K No CVEs

FlippingBook

flippingbook

Embed PDFs into your WordPress site as interactive flipbooks. Attractive and trackable, flipbooks are a great alternative to static PDFs.

2K 1 CVE

Developer Profile

PDF Embedder Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect PDF Embedder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pdf-embedder/css/admin/pdfemb-admin.css/wp-content/plugins/pdf-embedder/css/admin/pdfemb-admin-media.css/wp-content/plugins/pdf-embedder/js/admin/pdfemb-admin.js

Script Paths

/wp-content/plugins/pdf-embedder/js/admin/pdfemb-admin.js

Version Parameters

pdf-embedder/css/admin/pdfemb-admin.css?ver=pdf-embedder/css/admin/pdfemb-admin-media.css?ver=pdf-embedder/js/admin/pdfemb-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

pdfemb-admin-media

Data Attributes

pdfemb-activate-partnerpdfemb-deactivate-partnerpdfemb-install-partner

JS Globals

pdfemb_args

FAQ