CVE-2024-13776

Name of the Vulnerable Software and Affected Versions ZoomSounds - WordPress Wave Audio Player with Playlist plugin versions up to, and including, 6.91

Description The issue allows authenticated attackers with Subscriber-level access and above to modify data due to a missing capability check on the 'dzsap delete notice' AJAX action. This can lead to a denial of service by updating option values to cause an error on the site or setting certain values to true, such as registration. Several other functions are also vulnerable to missing authorization.

Recommendations For versions up to, and including, 6.91, update to a version that includes a fix for the missing capability check on the 'dzsap delete notice' AJAX action to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the 'dzsap delete notice' AJAX action to prevent exploitation until a patch is available. Restrict access to the vulnerable functions to minimize the risk of exploitation.