CVE-2026-1249
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2Description
The MP3 Audio Player - Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Analysis
The MP3 Audio Player plugin for WordPress versions 5.3-5.10 contains a server-side request forgery vulnerability in the lyrics loading function that allows authenticated users with author privileges to initiate arbitrary web requests from the affected server. This capability enables attackers to interact with internal services and potentially access or modify sensitive data on systems reachable from the web application.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Server-Side Request Forgery i and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today