CVE-2025-3431 - Vulnerability Details

- ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated Arbitrary File Download

Description

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Published: 2025-04-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ZoomSounds – WordPress Wave Audio Player with Playlist is vulnerable through the 'dzsap_download' action to arbitrary file read. The flaw allows an attacker to specify any file path on the server and obtain its contents, potentially revealing confidential data such as configuration files, credentials or other sensitive documents. This vulnerability is categorized as CWE‑73, indicating an insecure file-handling function that does not validate input properly.

Affected Systems

The affected product is the ZoomSounds WordPress plugin distributed by DigitalZoomStudio. All releases through version 6.91, inclusive, are impacted. WordPress sites running this plugin across any environment are at risk if the plugin remains installed at these versions.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity. EPSS reports a likelihood of less than 1%, suggesting current exploitation activity is low, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, the flaw is reachable through unauthenticated HTTP requests to the plugin’s download endpoint, meaning a web-based attacker can trigger it without additional credentials. The potential damage spans from data leakage to further compromise if sensitive files are retrieved.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ZoomIt

ZoomSounds - WordPress Wave Audio Player with Playlist

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.91

Configuration 1 [-]

cpe:2.3:a:digitalzoomstudio:zoomsounds:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the ZoomSounds plugin to a version newer than 6.91 when an update is released by DigitalZoomStudio.
If no patch is available, consider disabling or uninstalling the plugin until the issue is resolved.
Implement application‑level controls such as a web‑application firewall rule that blocks requests to the 'dzsap_download' action to reduce exposure.

Generated by OpenCVE AI on April 20, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10351	The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00485.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433
https://www.wordfence.com/threat-intel/vulnerabilities/id/a78998da-1cb1-4991-95a8-a551bde04064?source=cve

History

Wed, 04 Jun 2025 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Digitalzoomstudio Digitalzoomstudio zoomsounds
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:digitalzoomstudio:zoomsounds::::::wordpress::*
Vendors & Products		Digitalzoomstudio Digitalzoomstudio zoomsounds

Tue, 08 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 08 Apr 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title		ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated Arbitrary File Download
Weaknesses		CWE-73
References		https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433 https://www.wordfence.com/threat-intel/vulnerabilities/id/a78998da-1cb1-4991-95a8-a551bde04064?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Digitalzoomstudio Zoomsounds

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-08T07:29:43.985Z

Updated: 2026-04-08T17:13:41.006Z

Reserved: 2025-04-07T19:11:21.786Z

Link: CVE-2025-3431

Vulnrichment

Updated: 2025-04-08T13:20:56.176Z

NVD

Status : Analyzed

Published: 2025-04-08T08:15:18.447

Modified: 2025-06-04T22:27:39.390

Link: CVE-2025-3431

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object