Skip to main content

AudioIgniter CVE-2026-8679

| EUVDEUVD-2026-31421 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-22 Wordfence GHSA-hvqp-vjwf-27jg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 09:30 vuln.today
Analysis Generated
May 22, 2026 - 09:30 vuln.today

DescriptionCVE.org

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check - only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.

AnalysisAI

Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

Technical ContextAI

AudioIgniter is a WordPress music player plugin published by CSSIgniter (CPE cpe:2.3:a:cssigniterteam:audioigniter_music_player). The flaw is a classic CWE-639 Insecure Direct Object Reference: the plugin registers a custom rewrite rule and audioigniter_playlist_id query var that map directly to a WordPress post ID, and handle_playlist_endpoint() (hooked into template_redirect) returns JSON track data after only checking that the resolved post is of the audioigniter playlist post_type. WordPress normally enforces visibility through current_user_can('read_post', $id) and post_status checks, but those gates were absent in this code path, so the post-ID becomes a direct, attacker-controllable object reference.

RemediationAI

Vendor-released patch: upgrade to AudioIgniter 2.0.3, which adds is_user_logged_in(), post_status, and current_user_can('read_post', $id) checks in both shortcode_ai_playlist() and handle_playlist_endpoint() per commit 35a0508583c26c01b6ac446404ad6fe1d440d8d4 (https://github.com/cssigniter/audioigniter/commit/35a0508583c26c01b6ac446404ad6fe1d440d8d4) and the readme changelog. Until the upgrade is applied, administrators can block the /audioigniter/playlist/ rewrite path and any requests carrying the audioigniter_playlist_id query var at the WAF or web-server level (this will break the front-end playlist JSON endpoint for legitimate users, so any pages relying on the AJAX-style endpoint will stop loading tracks), or temporarily move all unpublished playlists out of the audioigniter post type so they cannot be resolved by ID. Generic WordPress hardening such as restricting xmlrpc or wp-admin does not mitigate this issue because the vulnerable endpoint is on the public site front-end.

Share

CVE-2026-8679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy