WordPress Plugin Vulnerabilities

ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload

Description

The plugin contained a PHP file, allowing unauthenticated users to upload an arbitrary file anywhere on the web server.

Note (WPScanTeam): It's unclear which version fixed the issue exactly, however we were able to confirm the issue on version as high as v5.96 and that the related file has been removed at least since v6.05

IoC (Thanks https://twitter.com/riper8) :
/wp-content/plugins/dzs-zoomsounds/xxtest.php
/wp-content/plugins/dzs-zoomsounds/wp-fixer.php
/wp-content/plugins/dzs-zoomsounds/opa.php
/wp-content/plugins/dzs-zoomsounds/defacer.php
/wp-content/plugins/dzs-zoomsounds/wp-cn.php
/atx.php
/wp-includes/atx.php

Proof of Concept

Affects Plugins

Plugin icon
dzs-zoomsounds
Fixed in 6.05

References

CVE
CVE-2021-4457

Miscellaneous

Original Researcher
ganj
Submitter
ganj
Verified
Yes
WPVDB ID
07259a61-8ba9-4dd0-8d52-cc1df389c0ad

Timeline

Publicly Published
2021-06-24 (about 4 years ago)
Added
2021-06-24 (about 4 years ago)
Last Updated
2025-06-25 (about 6 months ago)

Other

Published
Title
Published
2024-11-08
Title
WP Membership < 1.6.3 - Unauthenticated Arbitrary File Upload
Published
2021-01-28
Title
Super Forms < 4.9.703 - Unauthenticated PHP File Upload to RCE
Published
2014-08-01
Title
RBX Gallery 2.1 - uploader.php File Upload PHP Code Execution
Published
2023-12-04
Title
MW WP Form < 5.0.2 - Unauthenticated Arbitrary File Upload
Published
2025-12-19
Title
File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data