All in One Music Player <= 1.3.1 - Authenticated (Contributor+) Path Traversal via theme Parameter
अनुवाद हो रहा है…प्लेटफ़ॉर्म
wordpress
घटक
all-in-one-music-player
में ठीक किया गया
1.3.2
A Path Traversal vulnerability exists in the All in One Music Player plugin for WordPress, affecting versions from 1.0.0 through 1.3.1. This vulnerability allows authenticated users with Contributor-level access or higher to potentially read arbitrary files on the server. Successful exploitation could lead to the exposure of sensitive data. The vulnerability has been resolved in version 1.3.2.
इस CVE को अपने प्रोजेक्ट में पहचानें
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The primary impact of this Path Traversal vulnerability is the potential for unauthorized file access. An attacker, possessing a Contributor role or higher within the WordPress site, can manipulate the 'theme' parameter to specify file paths outside of the intended directory. This allows them to read files that they would not normally have access to. The data exposed could include configuration files, database credentials, or other sensitive information stored on the server. While the vulnerability requires authentication, the relatively low access threshold (Contributor role) increases the potential attack surface, particularly on sites with many users.
शोषण संदर्भअनुवाद हो रहा है…
This vulnerability was publicly disclosed on 2025-09-30. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of Path Traversal vulnerabilities and the plugin's popularity, it is possible that attackers may develop and deploy exploits in the future.
कौन जोखिम में हैअनुवाद हो रहा है…
WordPress sites utilizing the All in One Music Player plugin, particularly those with a large number of users with Contributor or higher roles, are at risk. Shared hosting environments where server file permissions are less controlled are also more vulnerable.
पहचान के चरणअनुवाद हो रहा है…
• wordpress / composer / npm:
grep -r 'theme=([^&]+)' /var/www/html/wp-content/plugins/all-in-one-music-player/includes/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/all-in-one-music-player/includes/theme=../../../../etc/passwd' # Check for file accessहमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.06% (18% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- कोई नहीं — अखंडता पर कोई प्रभाव नहीं।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The most effective mitigation is to immediately upgrade the All in One Music Player plugin to version 1.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to minimize the potential impact of a successful exploit. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to sanitize user input and block attempts to access files outside of the intended directory can provide an additional layer of defense. Regularly review WordPress user roles and permissions to ensure that users only have the necessary access levels.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice el plugin All in One Music Player a la versión 1.3.2 o superior para mitigar la vulnerabilidad de Path Traversal. Esta actualización corrige el problema al validar correctamente la entrada del parámetro 'theme', evitando el acceso no autorizado a archivos del servidor. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar el plugin.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-8559 — Path Traversal in All in One Music Player?
CVE-2025-8559 is a Path Traversal vulnerability affecting the All in One Music Player WordPress plugin versions 1.0.0–1.3.1, allowing authenticated users to read sensitive files.
Am I affected by CVE-2025-8559 in All in One Music Player?
If you are using the All in One Music Player plugin in WordPress versions 1.0.0 through 1.3.1, you are potentially affected by this vulnerability.
How do I fix CVE-2025-8559 in All in One Music Player?
Upgrade the All in One Music Player plugin to version 1.3.2 or later to resolve the Path Traversal vulnerability.
Is CVE-2025-8559 being actively exploited?
No active exploitation has been confirmed at this time, but the vulnerability is publicly known and could be targeted in the future.
Where can I find the official All in One Music Player advisory for CVE-2025-8559?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।