CVE-2021-4449
📋 TL;DR
The ZoomSounds WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the savepng.php file. This vulnerability affects WordPress sites running ZoomSounds plugin versions up to and including 5.96, potentially leading to remote code execution.
💻 Affected Systems
- ZoomSounds WordPress Plugin
📦 What is this software?
Zoomsounds by Digitalzoomstudio
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers upload web shells to gain persistent access, then escalate privileges to compromise the entire WordPress installation and potentially the underlying server.
If Mitigated
File uploads are blocked or properly validated, preventing malicious file execution while maintaining plugin functionality.
🎯 Exploit Status
Multiple public exploit scripts available. Attack requires only HTTP POST request to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 5.96
Vendor Advisory: https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find ZoomSounds plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin immediately
🔧 Temporary Workarounds
Block vulnerable endpoint
linuxAdd .htaccess rule to block access to savepng.php file
RewriteEngine On
RewriteRule ^wp-content/plugins/zoomsounds/savepng\.php$ - [F,L]
Remove vulnerable file
linuxDelete the vulnerable savepng.php file
rm -f /path/to/wordpress/wp-content/plugins/zoomsounds/savepng.php
🧯 If You Can't Patch
- Deactivate and remove ZoomSounds plugin immediately
- Implement web application firewall (WAF) rules to block file uploads to savepng.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → ZoomSounds version. If version ≤ 5.96, vulnerable.Check Version:
grep -r "Version:" /path/to/wordpress/wp-content/plugins/zoomsounds/zoomsounds.php | head -1Verify Fix Applied:
Verify ZoomSounds plugin version > 5.96 or confirm plugin is deactivated/removed.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/zoomsounds/savepng.php
- Upload of files with .php, .phtml, or other executable extensions
Network Indicators:
- Unusual file uploads to ZoomSounds plugin directory
- POST requests to savepng.php from unexpected sources
SIEM Query:
source="web_server_logs" AND uri="/wp-content/plugins/zoomsounds/savepng.php" AND method="POST"🔗 References
- https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433
- https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSounds
- https://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc-anchor-2
- https://sploitus.com/exploit?id=WPEX-ID:07259A61-8BA9-4DD0-8D52-CC1DF389C0AD
- https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad
- https://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-8056-9f94ec141b8f?source=cve
