Home

Description

The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version.

PUBLISHED Reserved 2024-11-04 | Published 2024-11-23 | Updated 2024-11-26 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

* (semver)
affected

Timeline

2024-11-22:Disclosed

Credits

Tonn finder

References

www.wordfence.com/...-e930-44d9-8278-c4c9e877656a?source=cve

codecanyon.net/...mp3-sticky-player-wordpress-plugin/7930491

cve.org (CVE-2024-10803)

nvd.nist.gov (CVE-2024-10803)

Download JSON