cbcvebase.
CVE-2021-4449
published 2024-10-16

CVE-2021-4449: The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.29%
91.5th percentile
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.

Affected

2 ranges
VendorProductVersion rangeFixed in
digitalzoomstudiozoomsounds<= 5.96
zoomitzoomsounds_wordpress_wave_audio_player_with_playlist<= 5.96

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/dzs-zoomsounds/savepng.php
url/wp-content/plugins/dzs-zoomsounds/savepng.php?location={{rand_filename}}.php
path/wp-content/plugins/dzs-zoomsounds/
  • Probe for the vulnerable endpoint by sending a GET request to /wp-content/plugins/dzs-zoomsounds/savepng.php; a 200 response indicates the vulnerable plugin is present.
  • Exploitation involves a POST request to savepng.php with a `location` query parameter specifying a PHP filename, allowing unauthenticated upload of arbitrary PHP files.
  • After upload, the attacker verifies RCE by fetching the uploaded PHP file directly under the plugin directory; a 200 response with expected content confirms successful exploitation.
  • Detect exploitation attempts by monitoring HTTP logs for POST requests to savepng.php containing a `location` parameter with a .php extension, originating from unauthenticated sessions.
  • Use FOFA or similar asset-discovery queries to identify exposed WordPress instances running the ZoomSounds plugin by searching for the plugin path in page bodies.
  • ·The vulnerability affects ZoomSounds plugin versions up to and including 5.96; installations beyond this version may not be vulnerable.
  • ·CVE-2021-4457 is a duplicate of this CVE; detections and mitigations for one apply equally to the other.
  • ·The Nuclei template uses a three-step flow (fingerprint → upload → verify RCE); all three HTTP steps must succeed for a confirmed positive, reducing false positives.
  • ·The template is marked `intrusive` — running it will actually upload a file to the target server; use only in authorized testing environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.