CVE-2021-4457: 
WordPress vulnerability analysis and mitigation

The ZoomSounds WordPress plugin before version 6.05 contains a critical security vulnerability identified as CVE-2021-4457. This vulnerability was discovered and reported by researcher ganj, and was publicly disclosed on June 24, 2021. The vulnerability affects all versions of the ZoomSounds plugin up to version 6.05 (Wiz).

The vulnerability exists in a PHP file within the plugin that allows unauthenticated users to upload arbitrary files anywhere on the web server. The issue was confirmed to exist in versions as high as v5.96, and the vulnerable file was removed in version 6.05. The vulnerability has been assigned a CVSS 3.1 Base Score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (Wiz, WPScan).

The vulnerability allows unauthenticated attackers to upload arbitrary files to any location on the web server, potentially leading to complete server compromise. This level of access could enable attackers to execute malicious code, modify website content, or gain unauthorized access to sensitive information (Wiz).

The vulnerability has been fixed in ZoomSounds plugin version 6.05. Users are strongly advised to update to this version or later to protect against this security risk. If immediate updating is not possible, it is recommended to remove or disable the plugin until an update can be applied (Wiz).