CVE-2021-24759: 
WordPress vulnerability analysis and mitigation

The PDF.js Viewer WordPress plugin (CVE-2021-24759) is a security vulnerability discovered in versions before 2.0.2. The vulnerability was publicly disclosed on November 8, 2021, and involves unescaped shortcode and Gutenberg Block attributes that could enable Cross-Site Scripting (XSS) attacks. Users with roles as low as Contributor could potentially exploit this vulnerability (WPScan Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists due to improper escaping of shortcode and Gutenberg Block attributes in the plugin (NVD Database).

The vulnerability allows attackers with Contributor-level access or higher to perform Cross-Site Scripting attacks through the manipulation of shortcode and Gutenberg Block attributes. This could potentially lead to the execution of malicious JavaScript code in users' browsers (WPScan Advisory).

The vulnerability has been patched in version 2.0.2 of the PDF.js Viewer WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).