WordPress Plugin Vulnerabilities

PDF Light Viewer < 1.4.12 - Authenticated Command Injection

Description

The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.

Proof of Concept

1) Go to Import PDF.
2) Select PDF file.
3) Set compression as 60 | calc | echo
4) Toggle import (the first checkbox)
5) Publish or update
6) Command executes

Affects Plugins

Plugin icon
pdf-light-viewer
Fixed in 1.4.12

References

CVE
CVE-2021-24684

Classification

Type
COMMAND INJECTION
OWASP top 10
A1: Injection
CWE
CWE-78
CVSS
3.8 (low)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
b5295bf9-8cf6-416e-b215-074742a5fc63

Timeline

Publicly Published
2021-09-15 (about 2 years ago)
Added
2021-09-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2022-07-22
Title
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url
Published
2022-10-18
Title
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
Published
2023-10-05
Title
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection