CVE-2019-19589

Name of the Vulnerable Software and Affected Versions The Lever PDF Embedder plugin version 4.4 for WordPress

Description The issue concerns the distribution of polyglot PDF documents that are valid JAR archives. However, it has been argued that the plugin itself does not control the file upload process, and the responsibility of uploading PDF files remains with the site owner of the WordPress installation. The upload of PDF files is managed by WordPress core, not by the PDF Embedder Plugin. The control and block of polyglot files are required to be taken care of at the time of upload, not when showing the file.

Recommendations For The Lever PDF Embedder plugin version 4.4, consider implementing controls at the time of PDF file upload to block polyglot files, as the plugin itself does not manage this process. Ensure that WordPress core settings are configured to restrict the upload of potentially malicious files. At the moment, there is no information about a newer version that contains a fix for this issue.