ZoomSounds WordPress Plugin PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the ZoomSounds - WordPress Wave Audio Player with Playlist plugin, affecting all versions through 6.91. The vulnerability arises from the deserialization of untrusted input in the 'margs' parameter, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known object injection chain, the impact could be significant if another plugin or theme with such a chain is installed, potentially enabling actions like deleting files, accessing sensitive information, or executing code, depending on the specific object injection chain available.
Impact
Exploitation of this vulnerability could lead to PHP Object Injection, allowing attackers to inject objects that could be manipulated if a suitable object injection chain is present through another plugin or theme.
Remediation
No patch is currently available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.