CVE-2025-8559

Root

Cause The All in One Music Player plugin for WordPress up to version 1.3.1 suffers from an unvalidated path traversal vulnerability in the theme parameter. The plugin passes user-supplied theme names directly into file operations without sanitization, allowing directory traversal sequences (e.g., ../) to escape the intended theme directory [1].

Exploitation

An attacker must be authenticated with at least Contributor-level access. The theme parameter is accepted in both block editor attributes and shortcode contexts. By supplying a crafted value like ../../../../etc/passwd, the attacker can read files outside the plugin's assets folder [1]. No additional privileges or nonce checks are required for file inclusion from the parameter.

Impact

Successful exploitation lets an attacker read the contents of arbitrary files on the server, such as wp-config.php (which contains database credentials), .htaccess, or other sensitive system files. This can lead to full site compromise if credentials are exposed.

Mitigation

No patch has been released as of the advisory date; users should disable or remove the plugin until a fixed version is provided. The plugin is not known to be on the CISA KEV list.