WordPress · Zoomsounds · CVE-2021-39316
Name of the Vulnerable Software and Affected Versions:
Zoomsounds plugin versions <= 6.45 for WordPress
Description:
The issue allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap download` action using directory traversal in the `link` parameter.
Recommendations:
For Zoomsounds plugin versions <= 6.45, update to a version greater than 6.45 to resolve the issue. As a temporary workaround, consider restricting access to the `dzsap download` action to minimize the risk of exploitation. Avoid using the `link` parameter in the affected API endpoint until the issue is resolved.