CVE-2024-10804 is a directory traversal vulnerability identified in the Ultimate Video Player WordPress & WooCommerce Plugin developed by FWDesign. The vulnerability exists in the content/downloader.php script, which fails to properly sanitize and restrict pathname inputs. This improper limitation allows an unauthenticated attacker to craft specially designed requests that traverse directories outside the intended restricted directory. As a result, attackers can read arbitrary files on the web server, potentially exposing sensitive data such as configuration files, credentials, or other private information stored on the server. The vulnerability affects all versions of the plugin up to and including version 10.0. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network exploitability (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (C:H), with no impact on integrity or availability. No patches or official fixes are currently linked, and no known exploits have been observed in the wild, but the vulnerability poses a significant risk given the widespread use of WordPress and WooCommerce plugins in e-commerce and content delivery environments.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored on affected servers. Attackers can leverage this flaw to access configuration files, database credentials, user data, or other critical files, potentially leading to further compromise or data breaches. For organizations running e-commerce sites or media platforms using this plugin, the exposure of sensitive data could result in loss of customer trust, regulatory penalties, and reputational damage. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely and at scale, increasing the risk of widespread attacks. Additionally, attackers could use the information gained to facilitate subsequent attacks such as privilege escalation, lateral movement, or deployment of malware. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

Organizations should immediately audit their WordPress installations to identify if the Ultimate Video Player plugin is in use and confirm the version. Since no official patches are currently linked, temporary mitigations include disabling or removing the plugin until a vendor patch is released. Web application firewalls (WAFs) can be configured to detect and block directory traversal patterns in HTTP requests targeting content/downloader.php. Restricting access to the downloader.php file via server-level controls (e.g., IP whitelisting, authentication requirements) can reduce exposure. Monitoring web server logs for suspicious requests containing directory traversal sequences (e.g., ../) is recommended to detect exploitation attempts. Additionally, organizations should ensure that sensitive files on the server are not accessible to the web server user or are protected with appropriate file permissions. Keeping WordPress core and all plugins updated and subscribing to vendor security advisories will help ensure timely application of future patches.