Plateforme
wordpress
Composant
all-in-one-music-player
Corrigé dans
1.3.2
A Path Traversal vulnerability exists in the All in One Music Player plugin for WordPress, affecting versions from 1.0.0 through 1.3.1. This vulnerability allows authenticated users with Contributor-level access or higher to potentially read arbitrary files on the server. Successful exploitation could lead to the exposure of sensitive data. The vulnerability has been resolved in version 1.3.2.
The primary impact of this Path Traversal vulnerability is the potential for unauthorized file access. An attacker, possessing a Contributor role or higher within the WordPress site, can manipulate the 'theme' parameter to specify file paths outside of the intended directory. This allows them to read files that they would not normally have access to. The data exposed could include configuration files, database credentials, or other sensitive information stored on the server. While the vulnerability requires authentication, the relatively low access threshold (Contributor role) increases the potential attack surface, particularly on sites with many users.
This vulnerability was publicly disclosed on 2025-09-30. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of Path Traversal vulnerabilities and the plugin's popularity, it is possible that attackers may develop and deploy exploits in the future.
WordPress sites utilizing the All in One Music Player plugin, particularly those with a large number of users with Contributor or higher roles, are at risk. Shared hosting environments where server file permissions are less controlled are also more vulnerable.
• wordpress / composer / npm:
grep -r 'theme=([^&]+)' /var/www/html/wp-content/plugins/all-in-one-music-player/includes/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/all-in-one-music-player/includes/theme=../../../../etc/passwd' # Check for file accessdisclosure
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The most effective mitigation is to immediately upgrade the All in One Music Player plugin to version 1.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to minimize the potential impact of a successful exploit. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to sanitize user input and block attempts to access files outside of the intended directory can provide an additional layer of defense. Regularly review WordPress user roles and permissions to ensure that users only have the necessary access levels.
Actualice el plugin All in One Music Player a la versión 1.3.2 o superior para mitigar la vulnerabilidad de Path Traversal. Esta actualización corrige el problema al validar correctamente la entrada del parámetro 'theme', evitando el acceso no autorizado a archivos del servidor. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar el plugin.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-8559 is a Path Traversal vulnerability affecting the All in One Music Player WordPress plugin versions 1.0.0–1.3.1, allowing authenticated users to read sensitive files.
If you are using the All in One Music Player plugin in WordPress versions 1.0.0 through 1.3.1, you are potentially affected by this vulnerability.
Upgrade the All in One Music Player plugin to version 1.3.2 or later to resolve the Path Traversal vulnerability.
No active exploitation has been confirmed at this time, but the vulnerability is publicly known and could be targeted in the future.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.