{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1219", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T01:27:06.784Z", "datePublished": "2026-02-19T09:26:36.530Z", "dateUpdated": "2026-02-20T20:37:50.944Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T09:26:36.530Z"}, "affected": [{"vendor": "sonaar", "product": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar", "versions": [{"version": "4.0", "status": "affected", "lessThanOrEqual": "5.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."}], "title": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"}, {"url": "https://plugins.trac.wordpress.org/changeset/3453076/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:37:24.748298Z", "id": "CVE-2026-1219", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:37:50.944Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T20:37:24.748298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:37:32.577Z"}}], "cna": {"title": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "sonaar", "product": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar", "versions": [{"status": "affected", "version": "4.0", "versionType": "semver", "lessThanOrEqual": "5.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"}, {"url": "https://plugins.trac.wordpress.org/changeset/3453076/"}], "descriptions": [{"lang": "en", "value": "The MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T09:26:36.530Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1219", "state": "PUBLISHED", "dateUpdated": "2026-02-20T20:37:50.944Z", "dateReserved": "2026-01-20T01:27:06.784Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T09:26:36.530Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."}, {"lang": "es", "value": "El plugin MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar para WordPress es vulnerable a Referencia Directa Insegura a Objeto en las versiones 4.0 a 5.10 a trav\u00e9s de 'load_track_note_ajax' debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto posibilita que atacantes no autenticados vean el contenido de publicaciones privadas."}], "id": "CVE-2026-1219", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-02-19T10:16:11.277", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3453076/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0,5.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar", "source": "cna", "vendor": "sonaar"}, "product": "mp3_audio_player_\u2013_music_player,_podcast_player_&_radio_by_sonaar", "vendor": "sonaar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T18:07:37.253975+00:00", "value": {"mitigation_remediation": ["Upgrade the MP3 Audio Player plugin to a version newer than 5.10 that removes the vulnerable endpoint or adds proper access control. ", "If an upgrade cannot be applied immediately, block or restrict access to the /load_track_note_ajax endpoint so that only authenticated users can reach it, for example via a Web Application Firewall rule. ", "Disable or remove the load_track_note_ajax functionality from the plugin configuration if the vendor provides such an option. ", "Continuously monitor the plugin and server logs for unexpected requests to the load_track_note_ajax endpoint to detect possible exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Exposure via Unauthenticated IDOR"}, "threat_synthesis": {"affected_systems": "WordPress sites running the MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin, versions 4.0 through 5.10, are affected.", "description_and_impact": "The WordPress MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin contains an insecure direct object reference in the 'load_track_note_ajax' endpoint. A user can supply a malicious key, and the plugin will return the contents of private posts without authentication. This flaw allows an attacker to read confidential data that should be restricted to authorized users, constituting a confidentiality breach. The underlying weakness is an IDOR (CWE\u2011639).", "risk_and_exploitability": "The vulnerability is scored with a CVSS 5.3, indicating a medium severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Based on the attack vector described, unauthenticated users can trigger a GET or POST request to the vulnerable endpoint, leading directly to exposure of restricted content."}}}}, "created": "2026-02-20T10:07:20.031095+00:00", "updated": "2026-04-17T18:15:26.774437+00:00", "vendors": ["sonaar", "sonaar$PRODUCT$mp3_audio_player_\u2013_music_player,_podcast_player_&_radio_by_sonaar", "wordpress", "wordpress$PRODUCT$wordpress"]}