Plattform
wordpress
Komponente
mp3-sticky-player
Behoben in
8.0.1
CVE-2024-10803 describes an Arbitrary File Access vulnerability affecting the MP3 Sticky Player WordPress plugin. This vulnerability allows unauthenticated attackers to read sensitive files from the server. The issue impacts versions of the plugin up to and including 8.0. A patched version 8.0 has been released, resolving the vulnerability.
Successful exploitation of CVE-2024-10803 allows an attacker to read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, source code, or other confidential information. The attacker does not require authentication to exploit this vulnerability. The potential blast radius is significant, as any file accessible by the web server process is at risk. This vulnerability shares similarities with other directory traversal exploits, where attackers leverage predictable file paths to bypass access controls.
CVE-2024-10803 was publicly disclosed on November 23, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the ease of exploitation and the potential for data exposure. No public proof-of-concept exploits have been widely reported as of this date.
WordPress websites utilizing the MP3 Sticky Player plugin, particularly those running versions prior to 8.0, are at risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and server configurations. Sites that store sensitive data on the same server as the WordPress installation face a heightened risk of data exposure.
• wordpress / composer / npm:
wp plugin list | grep 'MP3 Sticky Player'• wordpress / composer / npm:
wp plugin update MP3 Sticky Player --version=8.0• generic web:
curl -I http://your-wordpress-site.com/wp-content/downloader.php?file=../../../../etc/passwd• generic web:
Check access logs for requests containing ../ sequences targeting downloader.php.
disclosure
Exploit-Status
EPSS
3.05% (87% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10803 is to immediately upgrade the MP3 Sticky Player plugin to version 8.0. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the content/downloader.php file. Additionally, restrict file permissions on the WordPress server to minimize the potential impact of a successful exploit. Monitor web server access logs for suspicious requests targeting the downloader.php file. After upgrade, confirm by attempting to access a restricted file via the plugin’s downloader and verifying that access is denied.
Actualice el plugin MP3 Sticky Player a la última versión disponible. Si no hay una versión más reciente disponible, considere desinstalar el plugin hasta que se publique una versión corregida. Consulte el sitio web del proveedor para obtener más información sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10803 is a vulnerability in the MP3 Sticky Player WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using the MP3 Sticky Player plugin in WordPress versions 8.0 or earlier. Upgrade to version 8.0 to resolve the issue.
Upgrade the MP3 Sticky Player plugin to version 8.0. As a temporary measure, restrict access to the downloader.php file using your web server configuration.
There is currently no confirmed active exploitation of CVE-2024-10803, but the ease of exploitation suggests a potential for future attacks.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.