What is the CVSS score of CVE-2021-4449?

CVE-2021-4449 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 81.6%.

Which versions of ZoomSounds Plugin are affected by CVE-2021-4449?

The ZoomSounds WordPress plugin (versions 5.96 and earlier) contains a critical unauthenticated remote code execution vulnerability that allows attackers to upload malicious files and execute…

Is there a public PoC exploit available for CVE-2021-4449?

Yes, a public proof-of-concept exploit is available for CVE-2021-4449. Prioritise patching immediately. EPSS: 81.6%.

How to fix or mitigate CVE-2021-4449?

Within 24 hours: Inventory all WordPress installations to identify ZoomSounds plugin versions ≤5.96; disable and remove the plugin immediately. Within 7 days: For systems where plugin removal is not immediately feasible, implement web application firewall (WAF) rules to block POST requests to the /wp-content/plugins/zoomsounds/savepng.php endpoint and restrict file upload permissions. Within 30 days: Migrate to an alternative WordPress audio plugin or replace affected WordPress installations if ZoomSounds functionality is business-critical.

ZoomSounds Plugin CVE-2021-4449

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2024-10-16 security@wordfence.com

PHP WordPress RCE File Upload Zoomsounds

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 08, 2026 - 17:16 vuln.today

Public exploit code

CVE Published

Oct 16, 2024 - 07:15 nvd

CRITICAL 9.8

DescriptionNVD

The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.

AnalysisAI

Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed.

Technical ContextAI

The vulnerability resides in the 'savepng.php' handler shipped with the DigitalZoomStudio ZoomSounds audio plugin for WordPress (CPE cpe:2.3:a:digitalzoomstudio:zoomsounds), which fails to validate the MIME type or extension of uploaded files. This is a textbook CWE-434 (Unrestricted Upload of File with Dangerous Type) flaw: by accepting attacker-controlled content without enforcing an allowlist, the script permits PHP payloads to be written into a webroot-accessible directory where the PHP interpreter will execute them. WordPress plugins of this type are commonly installed in default Apache/Nginx + PHP-FPM stacks, making the uploaded file directly reachable by HTTP.

RemediationAI

Upgrade the ZoomSounds plugin to a version greater than 5.96; the exact fixed release is not enumerated in the provided data, so administrators should pull the latest available build from the vendor (DigitalZoomStudio via CodeCanyon) and verify the 'savepng.php' file either enforces extension/MIME allowlists or has been removed. If immediate upgrade is not possible, deploy a WAF rule (Wordfence, ModSecurity, or equivalent) blocking POST requests to '/wp-content/plugins/zoomsounds/savepng.php' - note this will break legitimate plugin functionality that relies on that endpoint. As a stronger compensating control, restrict PHP execution within the plugin's upload directory using an .htaccess 'php_flag engine off' rule or Nginx location block, which prevents uploaded files from executing even if written to disk; the trade-off is that any legitimate dynamic features in that directory will also stop working. Audit the plugin's upload directory immediately for unexpected .php/.phtml files indicating prior compromise.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-6960 CRITICAL Act Now

9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2021-4449 vulnerability details – vuln.today

Back

ZoomSounds Plugin CVE-2021-4449

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code