{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39647", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:33.159Z", "dateUpdated": "2026-04-29T09:52:03.948Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mp3-music-player-by-sonaar", "product": "MP3 Audio Player for Music, Radio & Podcast by Sonaar", "vendor": "sonaar", "versions": [{"lessThanOrEqual": "5.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.046Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.<p>This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.948Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:23:06.892284Z", "id": "CVE-2026-39647", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:23:37.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39647", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:23:06.892284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:22:17.251Z"}}], "cna": {"title": "WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "sonaar", "product": "MP3 Audio Player for Music, Radio & Podcast by Sonaar", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.11"}], "packageName": "mp3-music-player-by-sonaar", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:38.046Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.<p>This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:33.159Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39647", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:23:37.275Z", "dateReserved": "2026-04-07T10:57:48.107Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:33.159Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11."}], "id": "CVE-2026-39647", "lastModified": "2026-04-24T18:06:24.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:35.620", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.11]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "MP3 Audio Player for Music, Radio & Podcast by Sonaar", "source": "cna", "vendor": "sonaar"}, "product": "mp3_audio_player_for_music,_radio_&_podcast", "vendor": "sonaar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T23:08:23.670272+00:00", "value": {"mitigation_remediation": ["Update the Sonaar MP3 Audio Player plugin to a version newer than 5.11.", "If an immediate update is not possible, restrict the plugin\u2019s ability to make outbound requests or place it behind a network firewall that blocks internal traffic.", "Verify that the plugin does not process untrusted URLs from users or external sources."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery leading to potential exposure of internal resources"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin, all versions up to 5.11 inclusive. All WordPress sites running a vulnerable instance of this plugin are at risk.", "description_and_impact": "WordPress users of the Sonaar MP3 Audio Player for Music, Radio & Podcast plugin are exposed to a Server\u2011Side Request Forgery flaw. The plugin accepts external URLs without adequate validation, enabling an attacker to command the vulnerable server to fetch arbitrary network locations. The result can reveal sensitive internal data, trigger actions on backend services or disrupt network services. This weakness is classified as CWE\u2011918 and can compromise confidentiality, integrity, or availability depending on the target services.", "risk_and_exploitability": "The CVSS rating is 5.4 with a low EPSS score below 1%, and the flaw is not presently listed in the CISA KEV catalog. The likely attack vector is that an attacker can submit a crafted URL to the plugin\u2019s media input endpoint, causing the server to perform outbound HTTP requests. Attackers would need either site\u2011admin access or the ability to supply untrusted URLs; once the SSRF is triggered, the server could access internal hosts, potentially exposing restricted data or enabling further exploitation. The likelihood of exploitation is low, but the potential impact is serious if the server can reach sensitive infrastructure."}}}}, "created": "2026-04-08T19:41:28.792504+00:00", "updated": "2026-04-14T16:38:53.340356+00:00", "vendors": ["sonaar", "sonaar$PRODUCT$mp3_audio_player_for_music,_radio_&_podcast", "wordpress", "wordpress$PRODUCT$wordpress"]}