WordPress Plugin Vulnerabilities

PDF Light Viewer < 1.4.12 - Authenticated Command Injection

Description

The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.

Proof of Concept

Affects Plugins

Plugin icon
pdf-light-viewer
Fixed in 1.4.12

References

CVE
CVE-2021-24684

Classification

Type
COMMAND INJECTION
OWASP top 10
A1: Injection
CWE
CWE-78
CVSS
3.8 (low)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
b5295bf9-8cf6-416e-b215-074742a5fc63

Timeline

Publicly Published
2021-09-15 (about 4 years ago)
Added
2021-09-15 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2023-10-05
Title
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url
Published
2024-06-26
Title
ImageMagick Engine < 1.7.11 - Administrator+ OS Command Injection
Published
2025-03-25
Title
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid < 1.17.0 - Authenticated (Admin+) Command Injection
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection