CVE-2024-13671
Published: 30 January 2025
Description
The Music Sheet Viewer plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.1 via the read_score_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-25155 is likely a duplicate of this issue.
Security Summary
CVE-2024-13671 is an arbitrary file read vulnerability in the Music Sheet Viewer plugin for WordPress, affecting all versions up to and including 4.1. The flaw resides in the read_score_file() function and aligns with CWE-22 (path traversal), as indicated by NVD-CWE-noinfo. Published on 2025-01-30, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact without requiring authentication or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely by leveraging the flawed function to access and read the contents of arbitrary files on the affected server. Successful exploitation enables extraction of sensitive information stored in those files, such as configuration data or other server resources.
Advisories reference the vulnerable code in the plugin's source at https://plugins.trac.wordpress.org/browser/music-sheet-viewer/trunk/music-sheet-viewer.php#L748 and provide further details via Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/569f1cd4-195b-41d4-85cb-f529a1eb18d4?source=cve. CVE-2025-25155 is noted as a likely duplicate of this issue.
Details
- CWE(s)