Platform
wordpress
Component
music-sheet-viewer
Fixed in
4.1.1
CVE-2024-13671 describes an Arbitrary File Read vulnerability discovered in the Music Sheet Viewer plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive files on the server. It impacts versions of the plugin up to and including 4.1. A fix is available via plugin update.
The primary impact of CVE-2024-13671 is the potential for unauthorized access to sensitive files on the web server. An attacker could exploit this vulnerability to read configuration files, database credentials, source code, or any other file accessible by the web server process. Successful exploitation could lead to data breaches, compromise of server-side applications, and potentially, complete server takeover if sensitive credentials are exposed. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority concern.
CVE-2024-13671 was publicly disclosed on 2025-01-30. No public proof-of-concept exploits are currently known, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not currently listed on CISA KEV. Active campaigns are not confirmed at this time, but the vulnerability's simplicity warrants close monitoring.
Exploit Status
EPSS
0.58% (69% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-13671 is to immediately update the Music Sheet Viewer plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the vulnerable readscorefile() function. Restrict file permissions on the server to minimize the potential damage from a successful exploit. Monitor web server access logs for suspicious activity related to file access attempts. After upgrade, verify the fix by attempting to access a restricted file via the vulnerable endpoint and confirming access is denied.
Actualice el plugin Music Sheet Viewer a la última versión disponible. Esto solucionará la vulnerabilidad de lectura de archivos arbitrarios no autenticada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13671 is a vulnerability in the Music Sheet Viewer WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using Music Sheet Viewer version 4.1 or earlier. Check your plugin versions immediately.
Update the Music Sheet Viewer plugin to the latest version. If immediate upgrade isn't possible, implement a WAF rule to block access to the vulnerable function.
Active exploitation is not currently confirmed, but the vulnerability's simplicity makes it a likely target. Monitor your systems closely.
Check the Music Sheet Viewer plugin page on WordPress.org for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.