CVE-2024-10816
📋 TL;DR
The LUNA RADIO PLAYER WordPress plugin contains a directory traversal vulnerability in its js/fallback.php file that allows unauthenticated attackers to read arbitrary files on the server. This affects all WordPress sites using the plugin up to version 6.24.01.24. Attackers can potentially access sensitive configuration files, credentials, or other confidential data.
💻 Affected Systems
- LUNA RADIO PLAYER WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain database credentials, admin passwords, or other sensitive system files leading to complete site compromise, data theft, or server takeover.
Likely Case
Attackers read wp-config.php to obtain database credentials, then use those to access/modify site data or install backdoors.
If Mitigated
If proper file permissions and web server restrictions are in place, attackers may only access publicly readable files with limited sensitive information.
🎯 Exploit Status
Simple HTTP request manipulation required. No authentication needed. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.24.01.24
Vendor Advisory: https://radioplayer.luna-universe.com/update
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LUNA RADIO PLAYER and click 'Update Now'. 4. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable js/fallback.php file via web server configuration
# For Apache: add to .htaccess
<Files "js/fallback.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /js/fallback\.php$ {
deny all;
return 403;
}
Disable plugin
allTemporarily deactivate the LUNA RADIO PLAYER plugin until patched
# Via WordPress admin: Plugins → Installed Plugins → Deactivate LUNA RADIO PLAYER
🧯 If You Can't Patch
- Remove the LUNA RADIO PLAYER plugin completely from your WordPress installation
- Implement strict file permissions (chmod 600) on sensitive files like wp-config.php and restrict web server user access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → LUNA RADIO PLAYER version. If version is 6.24.01.24 or lower, you are vulnerable.Check Version:
# Check via WordPress CLI
wp plugin get luna-radio-player --field=version
# Or check file directly
cat /path/to/wp-content/plugins/luna-radio-player/luna-radio-player.php | grep 'Version:'Verify Fix Applied:
After updating, verify plugin version is higher than 6.24.01.24. Test by attempting to access /wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../wp-config.php - should return 403 or error.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-content/plugins/luna-radio-player/js/fallback.php with ../ patterns in query string
- Unusual file access patterns from single IPs to plugin directory
Network Indicators:
- GET requests containing directory traversal sequences (../) to fallback.php endpoint
- Traffic spikes to the vulnerable endpoint from external IPs
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/plugins/luna-radio-player/js/fallback.php" AND (query="*../*" OR query="*..\\*" OR status=200)