Cyber Resilience

CVE-2024-10803

High

Published: 23 November 2024

Published
23 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0408 88.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10803 is a high-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The MP3 Sticky Player plugin for WordPress is affected by a directory traversal vulnerability (CWE-22) present in all versions through 8.0. The flaw resides in the content/downloader.php component and permits an attacker to supply path traversal sequences that cause the application to read arbitrary files on the underlying server.

Unauthenticated remote attackers can exploit the issue over the network without any user interaction. Successful exploitation grants read access to sensitive files such as configuration data, credentials, or other restricted content, corresponding to the observed CVSS 7.5 rating that emphasizes high confidentiality impact with no integrity or availability effects.

The vendor published a patched release that carries the same version number as the vulnerable release, requiring administrators to verify the actual file contents or obtain the corrected package directly from the vendor site. The Wordfence advisory linked in the references provides additional technical detail on the affected endpoint and confirms the unauthenticated attack vector.

EPSS scores have remained low throughout the observation window, with a modest peak of 0.0546 that has since receded to 0.0408, indicating limited observed exploitation interest.

EU & UK References

Vulnerability details

The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…

more

server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References