CVE-2026-8679
Received Received - Intake
Insecure Direct Object Reference in AudioIgniter WordPress Plugin

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: Wordfence

Description
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check β€” only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8679
EUVD
EUVD-2026-31421
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cssigniter audioigniter to 2.0.2 (inc)
cssigniter audioigniter to 2.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The AudioIgniter plugin for WordPress, in versions up to and including 2.0.2, has a vulnerability known as Insecure Direct Object Reference. This occurs because the handle_playlist_endpoint() function accepts a user-controlled playlist ID without proper authentication or permission checks. As a result, unauthenticated attackers can access playlist track data such as titles, artists, audio URLs, buy links, download URLs, and cover images, even for playlists that are draft, private, pending, or trashed.

Impact Analysis

This vulnerability allows unauthorized users to view sensitive playlist metadata that should be restricted. Attackers can access unpublished or private playlist information without any authentication, potentially exposing confidential or proprietary content. This can lead to privacy breaches and unauthorized disclosure of data hosted on the affected WordPress site.

Detection Guidance

This vulnerability can be detected by checking if the AudioIgniter plugin version is 2.0.2 or earlier, as these versions lack proper authentication and authorization checks on the playlist endpoint.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the playlist JSON endpoint, specifically requests containing the query variable 'audioigniter_playlist_id' or URLs matching the pattern '/audioigniter/playlist/{id}/'.

Example command to search web server logs for suspicious access to the playlist endpoint:

  • grep -E 'audioigniter_playlist_id=|/audioigniter/playlist/' /var/log/apache2/access.log

You can also use curl to manually test if the endpoint returns playlist data without authentication:

  • curl -s 'https://yourwordpresssite.com/?audioigniter_playlist_id=1'
  • curl -s 'https://yourwordpresssite.com/audioigniter/playlist/1/'

If these commands return playlist metadata without requiring authentication, your site is vulnerable.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the AudioIgniter plugin to version 2.0.3 or later, where the issue has been fixed by adding proper authentication and playlist status checks.

If updating immediately is not possible, consider temporarily restricting access to the playlist endpoint by implementing web server rules or firewall rules that block unauthenticated requests to URLs containing '/audioigniter/playlist/' or the query parameter 'audioigniter_playlist_id'.

Additionally, review and tighten WordPress user permissions and consider disabling or limiting the plugin functionality until the update can be applied.

Compliance Impact

The vulnerability allows unauthenticated attackers to access playlist track metadata, including titles, artists, audio URLs, buy links, download URLs, and cover images, even for playlists in draft, private, pending, or trash status.

This unauthorized exposure of potentially sensitive or unpublished data could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require proper access controls and protection of personal or sensitive information.

However, the provided context does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart