CVE-2024-7856 HIGH

CVE-2024-7856: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion

Vendor Sonaar
Product MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Weakness CWE-862 · Missing authorization
Published August 29, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.

Key dates

02Disclosure timeline

August 29, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-30529 WordPress Tainacan plugin <= 0.20.7 - Broken Access Control vulnerability CVE-2024-12204 Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 - Missing Authorization CVE-2026-25036 WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability CVE-2025-22560 WordPress Saoshyant Page Builder plugin <= 3.8 - Broken Access Control vulnerability CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments