CVE-2019-19589
Description
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload process. It only serves the uploaded PDF files and the responsibility of uploading PDF file remains with the Site owner of Wordpress installation, the upload of PDF file is managed by Wordpress core and not by PDF Embedder Plugin. Control & block of polyglot file is required to be taken care at the time of upload, not on showing the file. Moreover, the reference mentions retrieving the files from the browser cache and manually renaming it to jar for executing the file. That refers to a two step non-connected steps which has nothing to do with PDF Embedder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress PDF Embedder plugin 4.4 serves polyglot PDF/JAR files without blocking, enabling potential remote code execution on user download.
Vulnerability
CVE-2019-19589 affects the PDF Embedder plugin version 4.4 for WordPress. The plugin fails to block the distribution of polyglot PDF documents that are also valid JAR archives. This means an attacker can upload a specially crafted file that is simultaneously a valid PDF (so WordPress accepts it) and a valid JAR archive. The plugin then serves this file to users without checking its dual nature [1][2].
Exploitation
An attacker must first have upload access to the WordPress site (e.g., as a contributor or via another upload vulnerability) or entice a site owner to upload a malicious polyglot file. The attacker then distributes the file link to target users. When a user downloads and manually renames the file from .pdf to .jar, the file can be executed as a Java archive. The official description notes that this two-step process (retrieving from browser cache and renaming) is part of the exploitation chain [1].
Impact
Successful exploitation allows an attacker to achieve remote code execution on the end user's system if the user manually renames the file and runs it. The impact is primarily on the client side, potentially compromising the user's machine with arbitrary code execution. There is no direct server-side compromise via this vulnerability [1].
Mitigation
A fix was included in PDF Embedder version 5.0.0, released on 2026-05-14, which likely blocks polyglot files or adds validation. Users should update to version 5.0.0 or later. Alternatively, site owners can implement upload filtering on the WordPress core level to reject files that are not pure PDFs. The vulnerability is not listed on the CISA KEV as of this writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Lever PDF Embedder plugindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- sejalivre.org/usando-arquivos-polyglot-para-distribuir-malwares/mitrex_refsource_MISC
- wordpress.org/plugins/pdf-embedder/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.