Description
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
Published: 2026-05-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AudioIgniter Music Player plugin for WordPress allows unauthenticated users to request the playlist ID via the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule. The handler that processes this request performs only a post_type check and returns playlist track data without verifying authentication, capability, or post_status. As a result, any visitor can retrieve the titles, artists, audio URLs, buy links, download URLs, and cover images of any playlist, even those marked as draft, private, pending, or trash. This constitutes an Insecure Direct Object Reference vulnerability that grants read‑only access to potentially sensitive media assets, rating 7.5 on the CVSS scale.

Affected Systems

WordPress sites running the AudioIgniter plugin version 2.0.2 or older are affected. The plugin, developed by cssigniterteam and distributed as AudioIgniter Music Player, is vulnerable in all releases up to and including 2.0.2. No other versions are known to be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the lack of an EPSS score suggests the exploitation likelihood is currently unknown but could be significant due to the straightforward request pattern. The vulnerability is not listed in the CISA KEV catalog, but the simplicity of the attack—sending a GET request to the playlist endpoint—lowers the barrier for attackers. Once exploited, attackers can exfiltrate metadata from any playlist, which may reveal private or sensitive information.

Generated by OpenCVE AI on May 22, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AudioIgniter to the latest version (at least 2.0.3) where the handler includes authentication and capability checks.
  • If an upgrade is not possible, block unauthenticated access to the /audioigniter/playlist/ endpoint using a web‑application firewall or .htaccess rules.
  • Modify the plugin’s handle_playlist_endpoint function to enforce proper capability checks, ensuring only users with the appropriate roles can retrieve playlist data.
  • Limit the visibility of draft or private playlists in WordPress, using settings or additional plugins to prevent public exposure of unpublished content.

Generated by OpenCVE AI on May 22, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Cssigniterteam
Cssigniterteam audioigniter Music Player
Wordpress
Wordpress wordpress
Vendors & Products Cssigniterteam
Cssigniterteam audioigniter Music Player
Wordpress
Wordpress wordpress

Fri, 22 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
Title AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cssigniterteam Audioigniter Music Player
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T10:20:11.498Z

Reserved: 2026-05-15T13:31:39.001Z

Link: CVE-2026-8679

cve-icon Vulnrichment

Updated: 2026-05-22T10:20:04.408Z

cve-icon NVD

Status : Received

Published: 2026-05-22T09:16:32.887

Modified: 2026-05-22T09:16:32.887

Link: CVE-2026-8679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:47Z

Weaknesses