CVE-2025-8559
📋 TL;DR
The All in One Music Player WordPress plugin contains a path traversal vulnerability that allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server. This can expose sensitive information like configuration files, credentials, or other protected data. WordPress sites using this plugin up to version 1.3.1 are affected.
💻 Affected Systems
- All in One Music Player WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive server files like wp-config.php containing database credentials, SSH keys, or other configuration files, potentially leading to full site compromise.
Likely Case
Attackers with contributor accounts could read sensitive WordPress files, potentially obtaining database credentials or other configuration data that could be used for further attacks.
If Mitigated
With proper access controls and file permissions, impact is limited to reading files accessible to the web server user, though sensitive configuration files are typically readable by this user.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable parameter. The vulnerability is in the 'theme' parameter handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.3.1
Vendor Advisory: https://wordpress.org/plugins/all-in-one-music-player/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'All in One Music Player'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict or remove Contributor-level access until patching is complete.
Web Application Firewall Rule
allAdd WAF rule to block path traversal patterns in the 'theme' parameter.
🧯 If You Can't Patch
- Deactivate and remove the All in One Music Player plugin immediately.
- Implement strict file permissions and directory restrictions for web server user.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'All in One Music Player' version 1.3.1 or earlier.Check Version:
wp plugin list --name='all-in-one-music-player' --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.3.1 in WordPress admin panel or check that the plugin has been removed.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Requests to plugin files with '../' sequences in parameters
- Multiple failed attempts to access sensitive files
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) in 'theme' parameter
- Unusual file downloads from plugin endpoints
SIEM Query:
web_access_logs WHERE url CONTAINS '/wp-content/plugins/all-in-one-music-player/' AND (params CONTAINS '../' OR params CONTAINS '..\\')