PHP Object Injection Vulnerability in ZoomSounds WordPress Plugin
CVE-2024-13777
8.1HIGH
Key Information:
- Vendor
- Zoomit
- Status
- Zoomsounds - WordPress Wave Audio Player With Playlist
- Vendor
- CVE Published:
- 5 March 2025
Summary
The ZoomSounds plugin for WordPress exposes a vulnerability that allows unauthenticated attackers to exploit PHP Object Injection via deserialization of untrusted input from the 'margs' parameter. While the underlying software does not contain a known PHP Object Propagation (POP) chain, the risk escalates if additional plugins or themes with such chains are present. In such cases, attackers could potentially execute harmful actions, including file deletions, data retrieval, or arbitrary code execution, posing significant security risks to WordPress installations.
Affected Version(s)
ZoomSounds - WordPress Wave Audio Player with Playlist * <= 6.91
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lucio Sá