Zoomsounds
Monthly
CVE-2021-4457 is an unauthenticated arbitrary file upload vulnerability in the ZoomSounds WordPress plugin versions before 6.05. The vulnerability exists in a PHP file that fails to implement proper access controls, allowing remote attackers to upload malicious files anywhere on the web server without authentication. This critical flaw enables complete system compromise through remote code execution, with a CVSS score of 9.1 indicating severe impact. While specific KEV and EPSS data are not provided in the available intelligence, the combination of unauthenticated access (CVSS AV:N/PR:N), high impact to confidentiality and integrity, and the prevalence of WordPress plugin exploitation in the wild suggests this represents an actively exploited vulnerability in real-world deployments.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed.
CVE-2021-4457 is an unauthenticated arbitrary file upload vulnerability in the ZoomSounds WordPress plugin versions before 6.05. The vulnerability exists in a PHP file that fails to implement proper access controls, allowing remote attackers to upload malicious files anywhere on the web server without authentication. This critical flaw enables complete system compromise through remote code execution, with a CVSS score of 9.1 indicating severe impact. While specific KEV and EPSS data are not provided in the available intelligence, the combination of unauthenticated access (CVSS AV:N/PR:N), high impact to confidentiality and integrity, and the prevalence of WordPress plugin exploitation in the wild suggests this represents an actively exploited vulnerability in real-world deployments.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed.