CVE-2021-4449

high-risk

Published 2024-10-16

The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.

Do I need to act?

81.6% chance of exploitation in next 30 days

EPSS score — higher than 18% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Zoomsounds

Affected Vendors

Digitalzoomstudio

References (6)

Product https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist...

Third Party Advisory https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSounds

Third Party Advisory https://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc...

Exploit https://sploitus.com/exploit?id=WPEX-ID:07259A61-8BA9-4DD0-8D52-CC1DF389C0AD

Exploit https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-805...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal