WordPress Plugin Vulnerabilities

DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download

Description

The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the dzsap_download action using directory traversal in the link parameter

Proof of Concept

Affects Plugins

Plugin icon
dzs-zoomsounds
Fixed in 6.50

References

CVE
CVE-2021-39316
Exploitdb
50564
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
7.5 (high)

Miscellaneous

Original Researcher
DigitalJessica Ltd
Verified
Yes
WPVDB ID
d2d60cf7-e4d3-42b6-8dfe-7809f87547bd

Timeline

Publicly Published
2021-08-31 (about 4 years ago)
Added
2021-08-31 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2025-11-20
Title
Tainacan < 1.0.1 - Unauthenticated Information Exposure
Published
2021-02-13
Title
Theme Editor < 2.6 - Authenticated Arbitrary File Download
Published
2022-08-01
Title
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
Published
2026-01-06
Title
WP-Members Membership Plugin < 3.5.4.5 - Unauthenticated Information Exposure via Unprotected Files
Published
2025-02-23
Title
Download Manager < 3.3.07 - Unauthenticated Data Exposure