https://wordpress.org/plugins/cool-video-gallery

If any of the arguments being passed to $command are sourced from user input,
I believe we can inject commands to be passed to the shell via exec() on line
714.

In cool-video-gallery/lib/core.php lines 703-714: 


 703                 $gallery = videoDB::find_gallery($video->galleryid);
 704                 $video_input = $gallery->abspath . '/' . $video->filename;
 705                 $new_target_filename = $video->alttext . '.png';
 706                 $new_target_file = $gallery->abspath . '/thumbs/thumbs_' . $new_target_filename;
 707 
 708                 if($video->video_type == $cool_video_gallery->video_type_media){
 709                         $command = $options['cvg_ffmpegpath'] . " -i '$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5      -s ".$thumb_width ."x".$thumb_height." '$new_target_file'";
 710                 }else {
 711                         $command = $options['cvg_ffmpegpath'] . " -i '$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s "     .$thumb_width ."x".$thumb_height." '$new_target_file'";
 712                 }
 713 
 714                 exec ( $command );