CVE-2021-4449
published 2024-10-16CVE-2021-4449: The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.29%
91.5th percentile
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| digitalzoomstudio | zoomsounds | <= 5.96 | — |
| zoomit | zoomsounds_wordpress_wave_audio_player_with_playlist | <= 5.96 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for the vulnerable endpoint by sending a GET request to /wp-content/plugins/dzs-zoomsounds/savepng.php; a 200 response indicates the vulnerable plugin is present. ↗
- →Exploitation involves a POST request to savepng.php with a `location` query parameter specifying a PHP filename, allowing unauthenticated upload of arbitrary PHP files. ↗
- →After upload, the attacker verifies RCE by fetching the uploaded PHP file directly under the plugin directory; a 200 response with expected content confirms successful exploitation. ↗
- →Detect exploitation attempts by monitoring HTTP logs for POST requests to savepng.php containing a `location` parameter with a .php extension, originating from unauthenticated sessions. ↗
- →Use FOFA or similar asset-discovery queries to identify exposed WordPress instances running the ZoomSounds plugin by searching for the plugin path in page bodies. ↗
- ·The vulnerability affects ZoomSounds plugin versions up to and including 5.96; installations beyond this version may not be vulnerable. ↗
- ·CVE-2021-4457 is a duplicate of this CVE; detections and mitigations for one apply equally to the other. ↗
- ·The Nuclei template uses a three-step flow (fingerprint → upload → verify RCE); all three HTTP steps must succeed for a confirmed positive, reducing false positives. ↗
- ·The template is marked `intrusive` — running it will actually upload a file to the target server; use only in authorized testing environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pwf8-74xg-4p7m: The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng
ghsa_unreviewed·2024-10-16
CVE-2021-4449 [CRITICAL] CWE-434 GHSA-pwf8-74xg-4p7m: The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
VulnCheck
digitalzoomstudio zoomsounds Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-4449 [CRITICAL] digitalzoomstudio zoomsounds Unrestricted Upload of File with Dangerous Type
digitalzoomstudio zoomsounds Unrestricted Upload of File with Dangerous Type
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.
Affected: digitalzoomstudio zoomsounds
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.vulncheck.com/advisories/wordpress-plugin-zoomsounds-unauthenticated-arbitrary-file-upload; https://app.crowdsec.ne
No detection rules found.
Nuclei
ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-4449 [CRITICAL] ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
ZoomSounds plugin for WordPress contains a file upload vulnerability in savepng.php
Template:
id: CVE-2021-4449
info:
name: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
author: 0xnemian
severity: critical
description: |
ZoomSounds plugin for WordPress contains a file upload vulnerability in savepng.php
impact: |
Unauthenticated attackers can upload arbitrary PHP files via savepng.php without authentication or validation, achieving remote code execution and complete server compromise.
remediation: |
Upgrade to ZoomSounds plugin version that addresses the file upload vulnerability.
reference:
- https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad
- https://codecanyon.net/item/zoomsounds-wordpress-wave
No writeups or analysis indexed.
https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSoundshttps://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc-anchor-2https://sploitus.com/exploit?id=WPEX-ID:07259A61-8BA9-4DD0-8D52-CC1DF389C0ADhttps://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0adhttps://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-8056-9f94ec141b8f?source=cve
2024-10-16
Published
Exploited in the wild