CVE-2025-8559
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sanjeev_aryal | all_in_one_music_player | 1.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The All in One Music Player plugin for WordPress has a Path Traversal vulnerability in all versions up to and including 1.3.1 via the 'theme' parameter. This vulnerability allows authenticated attackers with Contributor-level access or higher to read the contents of files on the server. These files may contain sensitive information, which the attacker can access due to improper validation of the 'theme' parameter.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with Contributor-level access or above to read sensitive files on your server. This could lead to exposure of confidential data, such as configuration files, credentials, or other private information stored on the server, potentially compromising your website's security and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the All in One Music Player plugin for WordPress is installed and running a version up to and including 1.3.1. Since the vulnerability involves the 'theme' parameter allowing path traversal by authenticated users with Contributor-level access or higher, detection can include checking for unusual file access attempts or exploitation attempts targeting this parameter. Specific commands are not provided in the resources, but general detection steps include reviewing web server logs for suspicious requests containing path traversal patterns (e.g., '../') in the 'theme' parameter and verifying plugin version via WordPress admin or by checking the plugin files. No explicit commands are given in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the All in One Music Player plugin to a version later than 1.3.1 where the vulnerability is fixed. If an update is not available, restrict Contributor-level and higher user permissions to trusted users only, and monitor for suspicious activity involving the 'theme' parameter. Additionally, consider disabling or removing the plugin until a patch is applied. No specific mitigation commands or steps are detailed in the provided resources.