CVE-2021-4449
ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.
| CWE | CWE-434 |
| Vendor | zoomit |
| Product | zoomsounds - wordpress wave audio player with playlist |
| Published | Oct 16, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for zoomit zoomsounds - wordpress wave audio player with playlist
Be the first to know when new critical vulnerabilities affecting zoomit zoomsounds - wordpress wave audio player with playlist are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
ZoomIt / ZoomSounds - WordPress Wave Audio Player with Playlist
0 โค 5.96
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-8056-9f94ec141b8f?source=cve ithemes.com: https://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc-anchor-2 wpscan.com: https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad sploitus.com: https://sploitus.com/exploit?id=WPEX-ID:07259A61-8BA9-4DD0-8D52-CC1DF389C0AD github.com: https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSounds codecanyon.net: https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433
Credits
ganj