CVE-2024-13671
Published: 30 January 2025
Summary
CVE-2024-13671 is a high-severity Path Traversal (CWE-22) vulnerability in Partitionnumerique Music Sheet Viewer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13671 is an arbitrary file read vulnerability in the Music Sheet Viewer plugin for WordPress, affecting all versions up to and including 4.1. The flaw resides in the read_score_file() function and aligns with CWE-22 (path traversal), as indicated by NVD-CWE-noinfo. Published on 2025-01-30, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact without requiring authentication or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely by leveraging the flawed function to access and read the contents of arbitrary files on the affected server. Successful exploitation enables extraction of sensitive information stored in those files, such as configuration data or other server resources.
Advisories reference the vulnerable code in the plugin's source at https://plugins.trac.wordpress.org/browser/music-sheet-viewer/trunk/music-sheet-viewer.php#L748 and provide further details via Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/569f1cd4-195b-41d4-85cb-f529a1eb18d4?source=cve. CVE-2025-25155 is noted as a likely duplicate of this issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51716
Vulnerability details
The Music Sheet Viewer plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.1 via the read_score_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on…
more
the server, which can contain sensitive information. CVE-2025-25155 is likely a duplicate of this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via unauthenticated path traversal in public-facing WordPress plugin directly enables remote exploitation (T1190) and local file data access (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the path traversal flaw in the read_score_file() function via patching the Music Sheet Viewer plugin up to version 4.1 directly prevents arbitrary file reads.
Implementing input validation mechanisms on the file path parameter in read_score_file() blocks path traversal attempts leading to arbitrary file disclosure.
Restricting WordPress to least functionality by disabling unnecessary plugins like Music Sheet Viewer eliminates exposure to this arbitrary file read vulnerability.