CVE-2024-10803 – The MP3 Sticky Player plugin for WordPress has ... (How to Fix)

Q: What is the severity of CVE-2024-10803?

CVE-2024-10803 has a CVSS score of 7.5 (HIGH). The MP3 Sticky Player plugin for WordPress has a directory traversal vulnerability in the content/downloader.php file, allowing unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information. This affects all versions up to and including 8.0. Users of the plugin on WordPress sites are at risk.

📋 TL;DR

The MP3 Sticky Player plugin for WordPress has a directory traversal vulnerability in the content/downloader.php file, allowing unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information. This affects all versions up to and including 8.0. Users of the plugin on WordPress sites are at risk.

💻 Affected Systems

Products:

MP3 Sticky Player WordPress Plugin

Versions: All versions up to and including 8.0

Operating Systems: Any OS running WordPress (e.g., Linux, Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the content/downloader.php file and affects all default installations of the plugin. The vendor released a patched version with the same version number (8.0), so users must ensure they have the updated release.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files like wp-config.php (containing database credentials), server configuration files, or user data, leading to full site compromise, data theft, or further attacks.

🟠

Likely Case

Attackers exploit this to steal database credentials or other configuration files, enabling unauthorized access to the WordPress site or database.

🟢

If Mitigated

With proper file permissions and web server security controls, impact may be limited to non-sensitive files, but risk remains significant due to the unauthenticated nature.

🌐 Internet-Facing: HIGH, as the vulnerability is in a WordPress plugin accessible via the web and exploitable without authentication, making internet-facing sites prime targets.

🏢 Internal Only: MEDIUM, as internal systems might still be vulnerable if accessed by malicious insiders or through other attack vectors, but exposure is lower than internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves simple HTTP requests to the vulnerable file with directory traversal sequences (e.g., '../'). Public proof-of-concept details are available in references, making it easy for attackers to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0 (updated release)

Vendor Advisory: https://codecanyon.net/item/mp3-sticky-player-wordpress-plugin/7930491

Restart Required: No

Instructions:

1. Log into your WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MP3 Sticky Player and check if version is 8.0 (ensure it's the patched release). 4. If outdated, update the plugin via the WordPress updater or manually download the latest version from the vendor. 5. Verify the fix by checking the content/downloader.php file for security patches.

🔧 Temporary Workarounds

Disable or Remove the Plugin

all

Temporarily disable or delete the MP3 Sticky Player plugin to eliminate the vulnerability until patching is possible.

wp plugin deactivate mp3-sticky-player
wp plugin delete mp3-sticky-player

Restrict Access to downloader.php

linux

Use web server rules (e.g., .htaccess for Apache) to block access to the vulnerable content/downloader.php file.

Add to .htaccess: <Files 'downloader.php'> deny from all </Files>

🧯 If You Can't Patch

Remove the MP3 Sticky Player plugin entirely from the WordPress installation to prevent exploitation.
Implement network-level controls such as a web application firewall (WAF) to block directory traversal attempts targeting the plugin.

🔍 How to Verify

Check if Vulnerable:

Check if the plugin is installed and version is 8.0 or earlier by going to WordPress admin > Plugins, or use command: wp plugin list --name=mp3-sticky-player --field=version.

Check Version:

wp plugin list --name=mp3-sticky-player --field=version

Verify Fix Applied:

After updating, verify the plugin version is 8.0 (patched) and test by attempting to access /wp-content/plugins/mp3-sticky-player/content/downloader.php with a traversal payload; it should return an error or be blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-content/plugins/mp3-sticky-player/content/downloader.php with patterns like '../' or '%2e%2e%2f' in logs.

Network Indicators:

Unusual outbound traffic from the server post-exploitation, such as connections to external IPs or data exfiltration patterns.

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/mp3-sticky-player/content/downloader.php" AND (uri CONTAINS "../" OR uri CONTAINS "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2024-10803

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: November 23, 2024

Last Updated: November 23, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10803, you might also want to check these: