Wondershare PDFelement 5.2.9 Privilege Escalation via Unquoted Service Path
Description
Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Local attackers can place a malicious executable in the service path and execute code with LocalSystem privileges upon service restart or system reboot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =5.2.9
Patches
Vulnerability mechanics
Root cause
"The WsAppService binary path is unquoted and contains spaces, allowing Windows to misinterpret the path and execute an attacker-controlled file placed in an earlier directory."
Attack vector
A local attacker places a malicious executable (e.g., `WsAppService.exe`) in an earlier, writable directory along the unquoted path, such as `C:\Program.exe` or `C:\Program Files\Wondershare\WAF\2.2.3.2\WsAppService.exe`. When the service restarts or the system reboots, Windows will interpret the space in the path as a separator and execute the attacker's payload instead of the legitimate binary. The service runs as LocalSystem, so the payload gains SYSTEM privileges [ref_id=1].
Affected code
The vulnerable service is WsAppService, installed by Wondershare PDFelement 5.2.9. Its binary path is `C:\Program Files\Wondershare\WAF\2.2.3.2\WsAppService.exe`, which is unquoted and contains spaces.
What the fix does
The advisory does not provide a patch. The recommended fix is to enclose the binary path in quotes in the service configuration (e.g., `"C:\Program Files\Wondershare\WAF\2.2.3.2\WsAppService.exe"`), which prevents Windows from misinterpreting spaces as argument separators. Without a patch, users must manually apply the quoting or restrict write permissions on the affected directories.
Preconditions
- authAttacker must have local access to the Windows system and be able to write a malicious executable to a directory along the unquoted service path.
- configThe WsAppService must be restarted or the system rebooted to trigger execution of the planted executable.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/40535mitreexploit
- www.vulncheck.com/advisories/wondershare-pdfelement-privilege-escalation-via-unquoted-service-pathmitrethird-party-advisory
- download.wondershare.com/inst/pdfelement_setup_full1042.exemitreproduct
- www.wondershare.commitreproduct
News mentions
0No linked articles in our index yet.