CVE-2024-13777
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection, tracked as CWE-502, in all versions up to and including 6.91. The issue stems from deserialization of untrusted input via the 'margs' parameter, enabling attackers to inject a PHP Object. This flaw carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-05.
Unauthenticated attackers can exploit the vulnerability remotely by supplying malicious serialized data through the 'margs' parameter. While object injection is possible, no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin itself, rendering it ineffective in isolation. Impact only materializes if another plugin or theme on the target WordPress site provides a POP chain, potentially allowing arbitrary file deletion, sensitive data retrieval, or arbitrary code execution depending on the chain's capabilities.
Advisories including the Wordfence threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec4633a-0742-4646-accd-cc0b9e01302a?source=cve) and the plugin's Codecanyon page (https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433) provide further details on the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated PHP object injection in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190). No other techniques map directly as impacts are conditional on external POP chains and not guaranteed by this vuln alone.