Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure via Unauthenticated IDOR
Action: Immediate Patch
AI Analysis

Impact

The WordPress MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin contains an insecure direct object reference in the 'load_track_note_ajax' endpoint. A user can supply a malicious key, and the plugin will return the contents of private posts without authentication. This flaw allows an attacker to read confidential data that should be restricted to authorized users, constituting a confidentiality breach. The underlying weakness is an IDOR (CWE‑639).

Affected Systems

WordPress sites running the MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin, versions 4.0 through 5.10, are affected.

Risk and Exploitability

The vulnerability is scored with a CVSS 5.3, indicating a medium severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Based on the attack vector described, unauthenticated users can trigger a GET or POST request to the vulnerable endpoint, leading directly to exposure of restricted content.

Generated by OpenCVE AI on April 17, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MP3 Audio Player plugin to a version newer than 5.10 that removes the vulnerable endpoint or adds proper access control.
  • If an upgrade cannot be applied immediately, block or restrict access to the /load_track_note_ajax endpoint so that only authenticated users can reach it, for example via a Web Application Firewall rule.
  • Disable or remove the load_track_note_ajax functionality from the plugin configuration if the vendor provides such an option.
  • Continuously monitor the plugin and server logs for unexpected requests to the load_track_note_ajax endpoint to detect possible exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sonaar
Sonaar mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress
Wordpress wordpress
Vendors & Products Sonaar
Sonaar mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
Description The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Title MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sonaar Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-02-20T20:37:50.944Z

Reserved: 2026-01-20T01:27:06.784Z

Link: CVE-2026-1219

cve-icon Vulnrichment

Updated: 2026-02-20T20:37:32.577Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T10:16:11.277

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses