CVE-2024-7856

Name of the Vulnerable Software and Affected Versions The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress versions up to, and including, 5.7.0.1

Description The issue is related to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the file parameter. This allows authenticated attackers with subscriber-level access and above to delete arbitrary files, potentially leading to remote code execution if critical files like wp-config.php are deleted.

Recommendations For versions up to, and including, 5.7.0.1, update to a version higher than 5.7.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the removeTempFiles() function and validating the file parameter to prevent unauthorized file deletion. Additionally, ensure that only trusted users have subscriber-level access and above to minimize the risk of exploitation.