WordPress users of the Sonaar MP3 Audio Player for Music, Radio & Podcast plugin are exposed to a Server‑Side Request Forgery flaw. The plugin accepts external URLs without adequate validation, enabling an attacker to command the vulnerable server to fetch arbitrary network locations. The result can reveal sensitive internal data, trigger actions on backend services or disrupt network services. This weakness is classified as CWE‑918 and can compromise confidentiality, integrity, or availability depending on the target services.

The vulnerability affects the Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin, all versions up to 5.11 inclusive. All WordPress sites running a vulnerable instance of this plugin are at risk.

The CVSS rating is 5.4 with a low EPSS score below 1%, and the flaw is not presently listed in the CISA KEV catalog. The likely attack vector is that an attacker can submit a crafted URL to the plugin’s media input endpoint, causing the server to perform outbound HTTP requests. Attackers would need either site‑admin access or the ability to supply untrusted URLs; once the SSRF is triggered, the server could access internal hosts, potentially exposing restricted data or enabling further exploitation. The likelihood of exploitation is low, but the potential impact is serious if the server can reach sensitive infrastructure.