Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.
AnalysisAI
Server-Side Request Forgery (SSRF) in Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin versions up to 5.11 allows unauthenticated remote attackers to forge requests to internal or external systems with high attack complexity, affecting confidentiality and integrity of data accessible from the server. EPSS scoring of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity (5.4), and no active exploitation has been confirmed; patch availability status requires vendor verification.
Technical ContextAI
This vulnerability exploits CWE-918 (Server-Side Request Forgery), a web application flaw where the server processes attacker-controlled input to make unintended HTTP or network requests. The Sonaar MP3 Audio Player is a WordPress plugin (CPE: cpe:2.3:a:sonaar:mp3_audio_player_for_music,_radio_&_podcast_by_sonaar) that likely handles audio URL fetching, playlist streaming, or remote content retrieval. Without proper input validation or URL scheme restrictions, an attacker can manipulate URL parameters to redirect server requests toward internal resources (localhost, private IP ranges), cloud metadata endpoints (AWS IMDSv1), or third-party services, bypassing network segmentation and authentication controls.
RemediationAI
Update Sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar to a version above 5.11 immediately upon release; consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability for exact patched version numbers. If an update is not yet available, implement Web Application Firewall (WAF) rules to block requests with suspicious URL schemes (file://, gopher://, dict://) in plugin parameters, restrict outbound server traffic to known-good domains via network egress filtering, and disable the plugin if it is non-critical. Verify patch status with Sonaar and Patchstack before rolling back to production.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20309
GHSA-878h-x39v-9rfh