CVE-2024-5664
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages via the 'sonaar_audioplayer' shortcode. The stored XSS payload executes whenever users visit the compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or deploy malware to site visitors.
Likely Case
Attackers with contributor access inject malicious scripts to steal admin credentials or redirect users to phishing pages.
If Mitigated
With proper user role management and input validation, impact is limited to unauthorized script execution in specific contexts.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is in publicly available code making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.1 or later
Vendor Advisory: https://wordpress.org/plugins/mp3-music-player-by-sonaar/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.5.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level users from creating or editing posts until patched.
Disable Plugin
allDeactivate the vulnerable plugin until update is available.
🧯 If You Can't Patch
- Implement strict user role management and review all contributor-level accounts
- Add web application firewall rules to block XSS payloads in shortcode parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar' version 5.5 or earlier.Check Version:
wp plugin list --name='mp3-music-player-by-sonaar' --field=version (WP-CLI)Verify Fix Applied:
Confirm plugin version is 5.5.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- Shortcode modifications containing script tags
Network Indicators:
- Outbound connections to suspicious domains from WordPress pages
SIEM Query:
source="wordpress" AND (event="post_modified" OR event="shortcode_modified") AND user_role="contributor"🔗 References
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.4.0.2/includes/class-sonaar-music-widget.php#L1853
- https://plugins.trac.wordpress.org/changeset/3115110/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music-widget.php
- https://wordpress.org/plugins/mp3-music-player-by-sonaar/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c14783d3-68de-49c6-9c54-eb7fc4a7bf94?source=cve
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.4.0.2/includes/class-sonaar-music-widget.php#L1853
- https://plugins.trac.wordpress.org/changeset/3115110/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music-widget.php
- https://wordpress.org/plugins/mp3-music-player-by-sonaar/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c14783d3-68de-49c6-9c54-eb7fc4a7bf94?source=cve
