Platform
wordpress
Component
ultimate-video-player
Fixed in
10.0.1
CVE-2024-10804 describes an Arbitrary File Access vulnerability discovered in the Ultimate Video Player WordPress & WooCommerce Plugin. This flaw allows unauthenticated attackers to read sensitive files directly from the server's file system. The vulnerability impacts versions of the plugin up to and including 10.0. A patch is expected to be released by the vendor to address this issue.
The primary impact of CVE-2024-10804 is the potential for unauthorized access to sensitive data stored on the web server. An attacker exploiting this vulnerability could read configuration files, database credentials, source code, or any other file accessible to the web server process. This could lead to complete compromise of the WordPress site, data breaches, and potential lateral movement within the network if credentials are exposed. The content/downloader.php file is the direct entry point for this attack, allowing attackers to manipulate file paths to access arbitrary locations.
CVE-2024-10804 was publicly disclosed on 2025-03-07. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no exploitation has been confirmed, the ease of exploitation and the potential impact warrant immediate attention and mitigation.
Exploit Status
EPSS
2.55% (85% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2024-10804 is to upgrade the Ultimate Video Player WordPress plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the content/downloader.php file using a web application firewall (WAF) or proxy server. Implement strict access controls and file permissions on the server to limit the potential damage if the vulnerability is exploited. Monitor web server access logs for suspicious requests targeting the content/downloader.php file.
Update the Ultimate Video Player WordPress & WooCommerce Plugin plugin to the latest available version. This will resolve the unauthenticated arbitrary file download vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10804 is a vulnerability in the Ultimate Video Player WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server via the content/downloader.php file, rated as CVSS 7.5 (HIGH).
You are affected if you are using the Ultimate Video Player WordPress plugin version 10.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Ultimate Video Player WordPress plugin to the latest version, which includes the security patch. If upgrading is not possible, restrict access to content/downloader.php with a WAF.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate mitigation.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and updated version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.