ZoomSounds - Arbitrary File Upload (CVE-2021-4449)

CVE-2021-4449 is a critical vulnerability in the ZoomSounds WordPress plugin that allows unauthenticated attackers to upload arbitrary files due to insufficient file type validation in the 'savepng.php' file. This flaw can be exploited to achieve remote code execution on the affected server, potentially leading to full site compromise.

CrowdSec has been tracking this vulnerability and its exploits since 10th of December 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-4449 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-4449 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the ZoomSounds plugin by sending unauthenticated POST requests to /wp-content/plugins/dzs-zoomsounds/savepng.php with a crafted location parameter, enabling arbitrary file uploads and remote code execution.