Vulnerabilities and security researches formusic-sheet-viewer music-sheet-viewer

Feb 01, 2025

CVE, Research URL: CVE-2024-13670
Home page URL: Security reports for Music Sheet Viewer
Application: Music Sheet Viewer
Date: Jan 30, 2025
Research Description: The Music Sheet Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pn_msv' shortcode in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Feb 09, 2025

CVE, Research URL: CVE-2025-25155
Home page URL: Security reports for Music Sheet Viewer
Application: Music Sheet Viewer
Date: Feb 07, 2025
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in efreja Music Sheet Viewer allows Path Traversal. This issue affects Music Sheet Viewer: from n/a through 4.1.
Affected versions: Min -, max -.
Status: vulnerable

May 07, 2025

CVE, Research URL: CVE-2024-13671
Home page URL: Security reports for Music Sheet Viewer
Application: Music Sheet Viewer
Date: Jan 30, 2025
Research Description: The Music Sheet Viewer plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.1 via the read_score_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions: Min -, max -.
Status: vulnerable