CVE-2024-13777

High CVSS: 8.1

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input from the 'margs' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Vendor

Digitalzoomstudio

Product

Zoomsounds

CWE

CWE-502

Yayın Tarihi

2025-03-05 10:15:15

Güncelleme

2025-05-26 01:44:28

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-502 Zoomsounds HIGH Digitalzoomstudio 2025

Referanslar

https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec4633a-0742-4646-accd-cc0b9e01302a?source=cve

Benzer Kayıtlar

Critical

CVE-2021-4457

The ZoomSounds plugin before 6.05 contains a PHP file allowing unauthenticated users to upload an arbitrary file anywher…

Unknown

CVE-2025-47568

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue a…

High

CVE-2025-3431

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in…

Medium

CVE-2025-0839

The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and i…

High

CVE-2024-13776

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modificati…