Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-02-14
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) allowing internal network requests by author‑level users
Action: Assess
AI Analysis

Impact

A Server‑Side Request Forgery exists in the MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar. The flaw resides in the load_lyrics_ajax_callback function and permits authenticated attackers with author or higher privileges to instruct the WordPress server to perform web requests to arbitrary URLs. This can be used to exfiltrate data, read sensitive internal endpoints, or alter configuration on those services, thereby undermining data confidentiality and integrity.

Affected Systems

The vulnerability affects the Sonaar MP3 Audio Player – Music Player, Podcast Player & Radio plugin for WordPress in versions 5.3 through 5.10.

Risk and Exploitability

The CVSS score of 5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, but it can be exploited by any user with author level access who can invoke the AJAX call. Because the request originates from the web application, it can target internal services that are otherwise inaccessible to external attackers, creating a significant insider‑risk scenario.

Generated by OpenCVE AI on April 18, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sonaar MP3 Audio Player plugin to the latest available release of the plugin.
  • If an upgrade cannot be performed immediately, remove author‑level users from being able to trigger the load_lyrics_ajax_callback endpoint by revoking or restricting the 'edit_others_posts' capability or disabling the feature through plugin settings.
  • Configure the application or network firewall to block outbound HTTP/HTTPS traffic from the WordPress host to internal IP ranges, limiting the server’s reach to only necessary external destinations.

Generated by OpenCVE AI on April 18, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Sonaar
Sonaar mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress
Wordpress wordpress
Vendors & Products Sonaar
Sonaar mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sonaar Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-02-17T15:44:52.991Z

Reserved: 2026-01-20T18:58:08.045Z

Link: CVE-2026-1249

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:28.170Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T09:16:11.850

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses