CVE-2021-24684: 
WordPress vulnerability analysis and mitigation

The WordPress PDF Light Viewer Plugin vulnerability (CVE-2021-24684) was discovered in versions before 1.4.12, allowing users with Author roles to execute arbitrary OS commands on the server through OS Command Injection when invoking Ghostscript. The vulnerability was publicly disclosed on September 15, 2021, and was discovered by security researcher apple502j (WPScan).

This vulnerability is classified as a Command Injection vulnerability (CWE-78) and falls under the OWASP Top 10 category A1: Injection. The vulnerability received a CVSS score of 3.8 (low severity). The exploitation involves accessing the Import PDF functionality, selecting a PDF file, manipulating the compression parameter with malicious commands, and triggering the execution through the publish or update action (WPScan).

The vulnerability allows authenticated users with Author privileges to execute arbitrary operating system commands on the affected server, potentially leading to complete system compromise (CVE Mitre).

The vulnerability has been fixed in version 1.4.12 of the PDF Light Viewer plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).