Plattform
wordpress
Komponente
ultimate-video-player
Behoben in
10.0.1
CVE-2024-10804 describes an Arbitrary File Access vulnerability discovered in the Ultimate Video Player WordPress & WooCommerce Plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, database credentials, or source code. The vulnerability affects versions of the plugin up to and including 10.0. A patch is expected to be released by the vendor.
Successful exploitation of CVE-2024-10804 could allow an attacker to gain access to sensitive data stored on the web server. This could include configuration files containing database passwords, API keys, or other credentials. The attacker could also potentially access source code, which could reveal further vulnerabilities. While the vulnerability requires no authentication, the impact can be significant depending on the data accessible on the server. This vulnerability shares similarities with other directory traversal exploits where attackers leverage flawed file path handling to bypass access controls.
CVE-2024-10804 was publicly disclosed on 2025-03-07. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The relatively straightforward nature of directory traversal vulnerabilities suggests that a public proof-of-concept may emerge.
Websites utilizing the Ultimate Video Player plugin, particularly those running older versions (≤10.0), are at risk. Shared hosting environments are especially vulnerable as they often have limited control over file permissions and server configurations. WordPress sites with sensitive data stored on the same server are also at increased risk.
• wordpress / composer / npm:
grep -r 'content/downloader.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/content/downloader.php | grep -i 'content-type'• wordpress / composer / npm:
wp plugin list | grep "Ultimate Video Player"disclosure
Exploit-Status
EPSS
2.55% (85% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10804 is to upgrade the Ultimate Video Player WordPress plugin to a version that includes the fix. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the content/downloader.php file using .htaccess rules or a web application firewall (WAF). Monitor web server access logs for suspicious requests targeting the content/downloader.php file. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file through the content/downloader.php endpoint and verifying that access is denied.
Actualice el plugin Ultimate Video Player WordPress & WooCommerce Plugin a la última versión disponible. Esto solucionará la vulnerabilidad de descarga de archivos arbitrarios no autenticada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10804 is a vulnerability in the Ultimate Video Player WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server via the content/downloader.php file, rated as CVSS 7.5 (HIGH).
You are affected if you are using the Ultimate Video Player WordPress plugin version 10.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Ultimate Video Player WordPress plugin to the latest version, which includes the security patch. If upgrading is not possible, restrict access to content/downloader.php with a WAF.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate mitigation.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and updated version.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.