Plattform
wordpress
Komponente
music-sheet-viewer
Behoben in
4.1.1
CVE-2024-13671 describes an Arbitrary File Read vulnerability discovered in the Music Sheet Viewer plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive files on the server. It impacts versions of the plugin up to and including 4.1. A fix is available via plugin update.
The primary impact of CVE-2024-13671 is the potential for unauthorized access to sensitive files on the server. An attacker could exploit this vulnerability to read configuration files, database credentials, source code, or any other file accessible to the web server process. This could lead to complete compromise of the WordPress installation and potentially the entire server. The arbitrary nature of the file access means an attacker isn't limited to specific files; they can attempt to read any file the web server user has permissions to access. This vulnerability shares similarities with other file read vulnerabilities where attackers leverage flaws in file handling logic to gain unauthorized access to system resources.
CVE-2024-13671 was publicly disclosed on 2025-01-30. Currently, there are no known active campaigns exploiting this vulnerability, but the availability of a public proof-of-concept increases the risk of exploitation. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is likely to emerge, increasing the attack surface.
WordPress websites utilizing the Music Sheet Viewer plugin, particularly those running versions prior to 4.1, are at risk. Shared hosting environments are especially vulnerable due to the potential for cross-site contamination and limited control over server file permissions. Sites with sensitive data stored in accessible locations on the server are also at increased risk.
• wordpress / composer / npm:
grep -r 'read_score_file()' /var/www/html/wp-content/plugins/music-sheet-viewer/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/music-sheet-viewer/read_score_file.php?file=/etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep music-sheet-viewerdisclosure
Exploit-Status
EPSS
0.58% (69% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-13671 is to upgrade the Music Sheet Viewer plugin to a patched version. If immediate patching is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable endpoint. Web Application Firewalls (WAFs) can be configured to block requests targeting the readscorefile() function or requests containing suspicious file paths. Regularly review file permissions on the server to ensure the web server user has only the necessary access rights. Monitor WordPress logs for unusual file access attempts.
Actualice el plugin Music Sheet Viewer a la última versión disponible. Esto solucionará la vulnerabilidad de lectura de archivos arbitrarios no autenticada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13671 is a vulnerability in the Music Sheet Viewer WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using Music Sheet Viewer version 4.1 or earlier. Check your plugin versions immediately.
Update the Music Sheet Viewer plugin to the latest version. If immediate upgrade isn't possible, implement a WAF rule to block access to the vulnerable function.
Active exploitation is not currently confirmed, but the vulnerability's simplicity makes it a likely target. Monitor your systems closely.
Check the Music Sheet Viewer plugin page on WordPress.org for updates and security advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.