Platform
wordpress
Component
music-sheet-viewer
Fixed in
4.1.1
CVE-2025-25155 describes an Arbitrary File Access vulnerability in efreja Music Sheet Viewer, allowing attackers to potentially read sensitive files on the server. This vulnerability stems from improper input validation, leading to a path traversal condition. Versions of Music Sheet Viewer from 0.0.0 up to and including 4.1 are affected. A fix is available in version 4.1.1.
An attacker exploiting this vulnerability can leverage path traversal to access files outside of the intended directory. This could include configuration files, source code, or even sensitive data like user credentials or database connection strings. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can leverage the accessed files to compromise the underlying system. The potential blast radius depends on the files accessible and the privileges of the web server process.
This vulnerability was publicly disclosed on 2025-02-07. No public proof-of-concept exploits are currently known, but the path traversal nature of the vulnerability makes it likely that exploits will emerge. The EPSS score is currently pending evaluation. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade efreja Music Sheet Viewer to version 4.1.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the impact of a successful attack. Regularly review and harden the WordPress installation, ensuring all plugins and themes are up-to-date. After upgrade, confirm by attempting to access a restricted file via a path traversal URL and verifying access is denied.
Actualice el plugin Music Sheet Viewer a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25155 is a vulnerability allowing attackers to read files outside the intended directory in efreja Music Sheet Viewer due to improper input validation, resulting in a path traversal condition.
You are affected if you are using efreja Music Sheet Viewer versions 0.0.0 through 4.1. Versions 4.1.1 and later are not affected.
Upgrade efreja Music Sheet Viewer to version 4.1.1 or later. As a temporary workaround, implement a WAF rule to filter path traversal attempts.
Currently, there are no known active exploits, but the vulnerability's nature suggests potential for exploitation. Continuous monitoring is recommended.
Refer to the official efreja Music Sheet Viewer website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.