CVE-2024-13671
📋 TL;DR
The Music Sheet Viewer WordPress plugin contains an arbitrary file read vulnerability that allows unauthenticated attackers to read any file on the server. This affects all WordPress sites using version 4.1 or earlier of the plugin, potentially exposing sensitive configuration files, credentials, and other confidential data.
💻 Affected Systems
- Music Sheet Viewer WordPress Plugin
📦 What is this software?
Music Sheet Viewer by Partitionnumerique
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain database credentials, SSH keys, or other sensitive files leading to complete server compromise, data theft, and lateral movement within the network.
Likely Case
Attackers read wp-config.php to obtain database credentials, potentially leading to database compromise and site defacement or data exfiltration.
If Mitigated
With proper file permissions and web server restrictions, attackers can only read publicly accessible files, limiting exposure to non-sensitive information.
🎯 Exploit Status
The vulnerability is in the read_score_file() function which doesn't properly validate file paths, allowing directory traversal attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158475/music-sheet-viewer/trunk/music-sheet-viewer.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Music Sheet Viewer plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the Music Sheet Viewer plugin to prevent exploitation
Web Server Restrictions
allAdd web server rules to block access to the vulnerable endpoint
# Apache: Add to .htaccess
RewriteEngine On
RewriteRule ^wp-content/plugins/music-sheet-viewer/.*\.php$ - [F,L]
# Nginx: Add to server block
location ~ ^/wp-content/plugins/music-sheet-viewer/.*\.php$ { deny all; }
🧯 If You Can't Patch
- Deactivate and remove the Music Sheet Viewer plugin immediately
- Implement web application firewall rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Music Sheet Viewer version 4.1 or earlierCheck Version:
# Check via WP-CLI
wp plugin list --name='music-sheet-viewer' --field=versionVerify Fix Applied:
Verify plugin version is 4.2 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/music-sheet-viewer/ with file path parameters containing '../' sequences
- Multiple failed attempts to access sensitive files like wp-config.php, .env, or /etc/passwd
Network Indicators:
- Unusual file read patterns from external IPs targeting the plugin endpoint
- Traffic spikes to the plugin's PHP files with parameter manipulation
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/plugins/music-sheet-viewer/" AND (query="*../*" OR query="*..%2f*")