Description
The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
Published: 2025-09-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read Server Files via Path Traversal
Action: Patch Immediately
AI Analysis

Impact

A path traversal flaw exists in the All in One Music Player plugin for WordPress that is triggered through the "theme" parameter. The flaw allows an attacker who has authenticated access with Contributor or higher role to read arbitrary files stored on the server, potentially exposing sensitive data such as configuration files or user credentials. The weakness is a classic directory traversal issue (CWE-22).

Affected Systems

The vulnerability affects all installations of the All in One Music Player plugin for WordPress with a version of 1.3.1 or earlier. The plugin is developed by the vendor sanzeeb3 and can be found under the product name "All in One Music Player".

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, but the EPSS score of less than 1% shows that exploitation is considered unlikely. The flaw is not listed in the CISA KEV catalogue. An attacker must first be authenticated and possess at least Contributor level permissions, after which the path traversal can be abused by supplying crafted values to the theme parameter. The impact is confined to the attacker’s permissions, but can still lead to disclosure of sensitive files if the user has read access to them.

Generated by OpenCVE AI on April 20, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the All in One Music Player plugin to a version newer than 1.3.1.
  • Limit Contributor role access on the site to only those who truly require it, or consider removing the Contributor role altogether.
  • If an update is not immediately possible, disable or remove the ‘theme’ parameter functionality by editing the plugin’s code or configuration so that it no longer accepts external values.

Generated by OpenCVE AI on April 20, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31686 The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
History

Wed, 01 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sanzeeb3
Sanzeeb3 all In One Music Player
Wordpress
Wordpress wordpress
Vendors & Products Sanzeeb3
Sanzeeb3 all In One Music Player
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
Title All in One Music Player <= 1.3.1 - Authenticated (Contributor+) Path Traversal via theme Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Sanzeeb3 All In One Music Player
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:51.529Z

Reserved: 2025-08-04T17:53:47.082Z

Link: CVE-2025-8559

cve-icon Vulnrichment

Updated: 2025-09-30T15:30:50.709Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:45.440

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses