Does PDF.js Viewer have any unpatched vulnerabilities?

No. All known vulnerabilities in PDF.js Viewer have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PDF.js Viewer compatible with WordPress 6.9.4?

According to WordPress.org data, PDF.js Viewer 3.0.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is PDF.js Viewer compatible with PHP 7.4+?

PDF.js Viewer requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is PDF.js Viewer updated?

PDF.js Viewer was last updated on Dec 10, 2025. Frequent updates are generally a positive security signal.

What is PDF.js Viewer's security score?

PDF.js Viewer has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PDF.js Viewer Security & Risk Analysis

wordpress.org/plugins/pdfjs-viewer-shortcode

Embed a beautiful PDF viewer into pages.

20K active installs v3.0.2 PHP 7.4+ WP 5.0+ Updated Dec 10, 2025

embedmozillapdfpdfjsviewer

A · Safe

CVEs total2

Unpatched0

Last CVEJan 10, 2023

Plugin page Download

Safety Verdict

Is PDF.js Viewer Safe to Use in 2026?

Generally Safe

Score 99/100

PDF.js Viewer has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 10, 2023Updated 3mo ago

Risk Assessment

The pdfjs-viewer-shortcode plugin, version 3.0.2, exhibits a mixed security posture. While the plugin demonstrates good practices such as a limited attack surface with all identified entry points protected by authentication and a significant percentage of output escaping, there are notable areas of concern. The presence of SQL queries without prepared statements is a significant risk, as it can lead to SQL injection vulnerabilities if the data is not properly sanitized. Furthermore, the taint analysis revealing a flow with unsanitized paths, even without a critical or high severity rating, indicates a potential for subtle vulnerabilities that might not be immediately obvious. The plugin's vulnerability history, with two known medium-severity Cross-Site Scripting (XSS) vulnerabilities, the most recent being in early 2023, suggests a recurring pattern of input validation issues. Although there are no currently unpatched CVEs, this history necessitates ongoing vigilance. In conclusion, while the plugin benefits from a well-controlled attack surface and good output escaping, the unescaped SQL queries and the identified unsanitized path flow, coupled with past XSS issues, warrant caution and suggest that further hardening of input handling is advisable.

Key Concerns

SQL queries not using prepared statements
Flow with unsanitized paths identified
Medium severity XSS vulnerabilities in history

Vulnerabilities

PDF.js Viewer Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2022-4670medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PDF.js Viewer <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 10, 2023 Patched in 2.1.8 (378d)

CVE-2021-24759medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PDF.js Viewer <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 11, 2021 Patched in 2.0.2 (1066d)

Code Analysis

Analyzed Mar 16, 2026

PDF.js Viewer Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

77% escaped43 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<viewer> (pdfjs\web\viewer.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

PDF.js Viewer Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 1

authwp_ajax_pdfjs_dismiss_notice_ajaxinc\admin-notice.php:173

Shortcodes 1

[pdfjs-viewer] inc\shortcode.php:7

WordPress Hooks 23

actionadmin_noticesinc\admin-notice.php:78

actionadmin_enqueue_scriptsinc\admin-notice.php:112

actionadmin_post_pdfjs_dismiss_noticeinc\admin-notice.php:146

actionbefore_delete_postinc\cleanup-hooks.php:20

filterinitinc\custom-page.php:4

actioninitinc\gutenberg-block.php:114

actionmedia_buttonsinc\media-button.php:8

actionwp_enqueue_mediainc\media-button.php:20

actionadmin_initinc\options-page.php:44

actionupdate_option_pdfjs_download_buttoninc\options-page.php:53

actionupdate_option_pdfjs_print_buttoninc\options-page.php:54

actionupdate_option_pdfjs_fullscreen_linkinc\options-page.php:55

actionupdate_option_pdfjs_fullscreen_link_textinc\options-page.php:56

actionupdate_option_pdfjs_fullscreen_link_targetinc\options-page.php:57

actionupdate_option_pdfjs_embed_heightinc\options-page.php:58

actionupdate_option_pdfjs_embed_widthinc\options-page.php:59

actionupdate_option_pdfjs_viewer_scaleinc\options-page.php:60

actionupdate_option_pdfjs_viewer_pagemodeinc\options-page.php:61

actionupdate_option_pdfjs_search_buttoninc\options-page.php:62

actionupdate_option_pdfjs_editing_buttonsinc\options-page.php:63

actionadmin_menuinc\options-page.php:69

filterplugin_action_links_pdfjs-viewer-shortcode/pdfjs-viewer.phpinc\options-page.php:196

actionplugins_loadedpdfjs-viewer.php:36

Maintenance & Trust

PDF.js Viewer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 10, 2025

PHP min version7.4

Downloads388K

Community Trust

Rating88/100

Number of ratings53

Active installs20K

Alternatives

PDF.js Viewer Alternatives

PDF Embedder

pdf-embedder

100

Seamlessly embed PDFs into your content, with customizations and intelligent responsive resizing, and no third-party services or iframes.

300K 1 CVE

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

embed-any-document

Embed PDF, DOC, PPT and XLS documents easily on your WordPress website with the help of Google Docs Viewer or Microsoft Office Online.

50K 4 CVEs

Embed PDF Viewer

embed-pdf-viewer

Embed a PDF from the Media Library or elsewhere via oEmbed or as a block into an iframe tag.

20K 2 CVEs

PDF Poster – Display PDF Files with Custom Viewer

pdf-poster

100

PDF Poster lets you embed PDF files in WordPress using a responsive viewer and block support, including full-screen, download, and print options.

20K 1 CVE

PDF viewer for Elementor & Gutenberg

pdfjs-viewer-for-elementor

The "PDFjs Viewer for Elementor & Gutenberg" plugin is a powerful tool that allows you to embed PDF files into your Elementor page build …

10K No CVEs

Developer Profile

PDF.js Viewer Developer Profile

Ben Lawson

1 plugin · 20K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

722 days

View full developer profile

Detection Fingerprints

How We Detect PDF.js Viewer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ