CVE-2024-7856
📋 TL;DR
This vulnerability in the MP3 Audio Player WordPress plugin allows authenticated attackers with subscriber-level access or higher to delete arbitrary files on the server due to missing capability checks and insufficient path validation. Attackers can potentially achieve remote code execution by deleting critical files like wp-config.php. All WordPress sites using this plugin up to version 5.7.0.1 are affected.
💻 Affected Systems
- MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution by deleting wp-config.php, leading to database access, admin takeover, and potential server compromise.
Likely Case
Site disruption or defacement through deletion of critical WordPress files, configuration files, or media assets.
If Mitigated
Limited impact if proper file permissions and WordPress hardening are in place, though file deletion could still cause service disruption.
🎯 Exploit Status
Exploitation requires authenticated access but only at subscriber level. The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.0.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3142445/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar'
4. Click 'Update Now' if update is available
5. Alternatively, download version 5.7.0.2+ from WordPress plugin repository
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the MP3 Audio Player plugin until patched
wp plugin deactivate mp3-music-player-by-sonaar
Restrict user registration
allDisable new user registration to prevent attackers from obtaining subscriber accounts
Set 'Anyone can register' to false in WordPress Settings → General
🧯 If You Can't Patch
- Remove the plugin entirely and use alternative audio player solutions
- Implement strict file permissions (wp-config.php should be 400 or 440, web root files should have proper ownership)
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 5.7.0.1 or lower, you are vulnerable.Check Version:
wp plugin get mp3-music-player-by-sonaar --field=versionVerify Fix Applied:
Verify plugin version is 5.7.0.2 or higher after update. Check that the removeTempFiles() function now includes proper capability checks.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in WordPress debug logs
- Multiple failed login attempts followed by file deletion requests
- HTTP POST requests to admin-ajax.php with 'removeTempFiles' action
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=removeTempFiles' parameter
- Unusual file paths in POST parameters
SIEM Query:
source="wordpress.log" AND "removeTempFiles" AND ("file=" OR "delete")🔗 References
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L739
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L755
- https://plugins.trac.wordpress.org/changeset/3142445/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=cve
