Platform
wordpress
Component
all-in-one-music-player
Fixed in
1.3.2
A Path Traversal vulnerability exists in the All in One Music Player plugin for WordPress, affecting versions from 1.0.0 through 1.3.1. This vulnerability allows authenticated users with Contributor-level access or higher to potentially read arbitrary files on the server. Successful exploitation could lead to the exposure of sensitive data. The vulnerability has been resolved in version 1.3.2.
The primary impact of this Path Traversal vulnerability is the potential for unauthorized file access. An attacker, possessing a Contributor role or higher within the WordPress site, can manipulate the 'theme' parameter to specify file paths outside of the intended directory. This allows them to read files that they would not normally have access to. The data exposed could include configuration files, database credentials, or other sensitive information stored on the server. While the vulnerability requires authentication, the relatively low access threshold (Contributor role) increases the potential attack surface, particularly on sites with many users.
This vulnerability was publicly disclosed on 2025-09-30. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of Path Traversal vulnerabilities and the plugin's popularity, it is possible that attackers may develop and deploy exploits in the future.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the All in One Music Player plugin to version 1.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to minimize the potential impact of a successful exploit. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to sanitize user input and block attempts to access files outside of the intended directory can provide an additional layer of defense. Regularly review WordPress user roles and permissions to ensure that users only have the necessary access levels.
Update the All in One Music Player plugin to version 1.3.2 or higher to mitigate the Path Traversal vulnerability. This update corrects the issue by properly validating the 'theme' parameter input, preventing unauthorized access to server files. Ensure you back up your website before updating the plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8559 is a Path Traversal vulnerability affecting the All in One Music Player WordPress plugin versions 1.0.0–1.3.1, allowing authenticated users to read sensitive files.
If you are using the All in One Music Player plugin in WordPress versions 1.0.0 through 1.3.1, you are potentially affected by this vulnerability.
Upgrade the All in One Music Player plugin to version 1.3.2 or later to resolve the Path Traversal vulnerability.
No active exploitation has been confirmed at this time, but the vulnerability is publicly known and could be targeted in the future.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.