CVE-2021-39316: 
WordPress vulnerability analysis and mitigation

The Zoomsounds plugin version 6.45 and below for WordPress contains a directory traversal vulnerability (CVE-2021-39316) that allows unauthenticated attackers to download arbitrary files, including sensitive configuration files such as wp-config.php. The vulnerability was discovered and disclosed on August 31, 2021 (NVD).

The vulnerability exists in the dzsap_download action functionality of the plugin, where improper limitation of pathname allows directory traversal through the link parameter. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows attackers to access and download sensitive files from the WordPress installation, including critical configuration files like wp-config.php which may contain database credentials and authentication keys. This could lead to unauthorized access to sensitive information and potential system compromise (WPScan).

The vulnerability has been patched in version 6.50 of the Zoomsounds plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).