Platform
wordpress
Component
mp3-sticky-player
Fixed in
8.0.1
CVE-2024-10803 describes an Arbitrary File Access vulnerability affecting the MP3 Sticky Player WordPress plugin. This vulnerability allows unauthenticated attackers to read sensitive files from the server. The vulnerability impacts versions of the plugin up to and including 8.0. A patched version, also designated as 8.0, has been released to address this issue.
Successful exploitation of CVE-2024-10803 allows an attacker to read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, source code, or other confidential information. The attacker does not require authentication to exploit this vulnerability, significantly broadening the potential attack surface. The impact is amplified if the server stores sensitive data in plain text or if the attacker can leverage the exposed data to gain further access to the system or network. This vulnerability shares similarities with other directory traversal exploits where attackers leverage flawed file path handling to access unauthorized resources.
CVE-2024-10803 was publicly disclosed on November 23, 2024. There is no indication of active exploitation at this time, but the ease of exploitation and lack of authentication requirements suggest a potential for future attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
3.05% (87% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10803 is to immediately upgrade the MP3 Sticky Player plugin to version 8.0. Since the patched version shares the same version number as the affected version, ensure the plugin is updated to the latest available release. As a temporary workaround, restrict access to the downloader.php file using your web server's configuration (e.g., .htaccess for Apache, or equivalent for Nginx). Consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal sequences. Regularly review WordPress plugin security and update plugins promptly.
Actualice el plugin MP3 Sticky Player a la última versión disponible. Si no hay una versión más reciente disponible, considere desinstalar el plugin hasta que se publique una versión corregida. Consulte el sitio web del proveedor para obtener más información sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10803 is a vulnerability in the MP3 Sticky Player WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using the MP3 Sticky Player plugin in WordPress versions 8.0 or earlier. Upgrade to version 8.0 to resolve the issue.
Upgrade the MP3 Sticky Player plugin to version 8.0. As a temporary measure, restrict access to the downloader.php file using your web server configuration.
There is currently no confirmed active exploitation of CVE-2024-10803, but the ease of exploitation suggests a potential for future attacks.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.