CVE-2024-10804
Published: 07 March 2025
Summary
CVE-2024-10804 is a high-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-10804 is a directory traversal vulnerability (CWE-22) in the Ultimate Video Player WordPress & WooCommerce Plugin for WordPress, affecting all versions up to and including 10.0. The flaw exists in the content/downloader.php file, allowing unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By sending crafted requests to the vulnerable downloader.php endpoint, they can traverse directories and access files outside the intended scope, such as configuration files, wp-config.php, or other server-stored data containing sensitive details.
Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5394abc6-836f-4b22-a7b6-79d092b93a7e?source=cve and the plugin page on CodeCanyon at https://codecanyon.net/item/ultimate-video-player-wordpress-plugin/8374433. The CVE was published on 2025-03-07T09:15:13.340.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54130
Vulnerability details
The Ultimate Video Player WordPress & WooCommerce Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 10.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of…
more
arbitrary files on the server, which can contain sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing WordPress plugin enables remote unauthenticated exploitation of the application (T1190) and direct reading of arbitrary local system files including sensitive configs (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of file path inputs to the downloader.php endpoint, directly preventing directory traversal exploitation.
Mandates timely remediation of the specific directory traversal flaw in the Ultimate Video Player plugin through patching or updates.
Enables vulnerability scanning to identify the presence of CVE-2024-10804 in the plugin, facilitating proactive patching.