CVE-2026-1219
Awaiting Analysis
Awaiting Analysis - Queue
Insecure Direct Object Reference in Sonaar MP3 Player Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
The MP3 Audio Player β Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sonaar | mp3_audio_player | 4.0 |
| sonaar | mp3_audio_player | 5.10 |
| sonaar | mp3_audio_player | From 5.10 (exc) |
| sonaar | mp3_audio_player | From 4.0 (inc) to 5.10 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
