EUVD-2021-34682Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionCVE.org
The ZoomSounds plugin before 6.05 contains a PHP file allowing unauthenticated users to upload an arbitrary file anywhere on the web server.
AnalysisAI
CVE-2021-4457 is an unauthenticated arbitrary file upload vulnerability in the ZoomSounds WordPress plugin versions before 6.05. The vulnerability exists in a PHP file that fails to implement proper access controls, allowing remote attackers to upload malicious files anywhere on the web server without authentication. This critical flaw enables complete system compromise through remote code execution, with a CVSS score of 9.1 indicating severe impact. While specific KEV and EPSS data are not provided in the available intelligence, the combination of unauthenticated access (CVSS AV:N/PR:N), high impact to confidentiality and integrity, and the prevalence of WordPress plugin exploitation in the wild suggests this represents an actively exploited vulnerability in real-world deployments.
Technical ContextAI
ZoomSounds is a WordPress audio player plugin distributed through the WordPress.org plugin repository. The vulnerability stems from inadequate input validation and access control in a PHP file handler, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is the absence of authentication checks (PR:N in CVSS vector) combined with insufficient file type validation, allowing attackers to bypass WordPress security functions and upload executable PHP files. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning no special conditions or user interaction is required. The CPE context would be: cpe:2.3:a:zoomsounds:zoomsounds:*:*:*:*:*:wordpress:*:* with version constraints <6.05. This affects any WordPress installation with the vulnerable plugin active, regardless of WordPress hardening.
RemediationAI
Immediate remediation steps: (1) Update ZoomSounds plugin to version 6.05 or later immediately through WordPress admin dashboard (Plugins > Updates) or manually via WordPress.org repository download, (2) After patching, audit the web server for suspicious uploaded files, particularly in wp-content/uploads and other world-writable directories, checking modification timestamps around vulnerability discovery dates, (3) Search web server logs for POST requests to the vulnerable PHP file endpoint with upload parameters to identify exploitation attempts, (4) If unable to update immediately, disable the ZoomSounds plugin entirely (Deactivate and Delete) until patching can be completed, (5) Implement Web Application Firewall (WAF) rules to block file upload requests to ZoomSounds plugin endpoints as temporary mitigation, (6) Consider restricting PHP execution in wp-content/uploads directory via .htaccess (AddType text/plain .php) to prevent execution of uploaded malicious files. No vendor advisory link is provided in available intelligence; refer to WordPress.org ZoomSounds plugin page and WPVULNDB for official patch confirmation.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today