CVE-2024-10803: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in FWDesign MP3 Sticky Player
The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version.
AI Analysis
Technical Summary
The FWDesign MP3 Sticky Player WordPress plugin contains a CWE-22 path traversal vulnerability in the content/downloader.php file. This flaw allows unauthenticated remote attackers to read arbitrary files on the server by manipulating pathname inputs. The vulnerability affects all versions up to and including 8.0. The vendor has issued a patch under the same version number as the affected release, indicating that users should verify and apply the updated plugin to mitigate the risk. The CVSS 3.1 base score is 7.5, reflecting high impact on confidentiality with no impact on integrity or availability.
Potential Impact
Successful exploitation permits unauthenticated attackers to read arbitrary files on the web server hosting the vulnerable plugin. This can lead to disclosure of sensitive information stored on the server, potentially compromising confidentiality. There is no direct impact on system integrity or availability reported.
Mitigation Recommendations
A patched version of the MP3 Sticky Player plugin has been released by the vendor under the same version number as the affected one. Users should obtain the updated plugin directly from the vendor or official source and apply the patch to remediate the vulnerability. Since no official patch link is provided, users must verify the authenticity and integrity of the update. Until patched, restrict access to the vulnerable downloader.php file if possible.
CVE-2024-10803: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in FWDesign MP3 Sticky Player
Description
The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The FWDesign MP3 Sticky Player WordPress plugin contains a CWE-22 path traversal vulnerability in the content/downloader.php file. This flaw allows unauthenticated remote attackers to read arbitrary files on the server by manipulating pathname inputs. The vulnerability affects all versions up to and including 8.0. The vendor has issued a patch under the same version number as the affected release, indicating that users should verify and apply the updated plugin to mitigate the risk. The CVSS 3.1 base score is 7.5, reflecting high impact on confidentiality with no impact on integrity or availability.
Potential Impact
Successful exploitation permits unauthenticated attackers to read arbitrary files on the web server hosting the vulnerable plugin. This can lead to disclosure of sensitive information stored on the server, potentially compromising confidentiality. There is no direct impact on system integrity or availability reported.
Mitigation Recommendations
A patched version of the MP3 Sticky Player plugin has been released by the vendor under the same version number as the affected one. Users should obtain the updated plugin directly from the vendor or official source and apply the patch to remediate the vulnerability. Since no official patch link is provided, users must verify the authenticity and integrity of the update. Until patched, restrict access to the vulnerable downloader.php file if possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-04T16:59:29.662Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6dfeb7ef31ef0b5926a5
Added to database: 2/25/2026, 9:47:42 PM
Last enriched: 4/9/2026, 12:05:24 PM
Last updated: 4/12/2026, 1:32:55 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.