CVE-2024-7856

CVSS V2 None CVSS V3 None
Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.
Overview
  • CVE ID
  • CVE-2024-7856
  • Assigner
  • Wordfence
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-08-29T03:52:57.401Z
  • Last Modified Date
  • 2024-08-29T03:52:57.401Z
Weakness Enumerations
CWE URL
CWE-862 http://cwe.mitre.org/data/definitions/862.html
References
Reference URL Reference Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=cve
https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L755
https://plugins.trac.wordpress.org/changeset/3142445/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music.php
https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L739
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2024-7856
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7856
History
Created Old Value New Value Data Type Notes
2024-08-29 13:03:44 Added to TrackCVE