Skip to main content

Mp3 Audio Player For Music Radio Podcast By Sonaar EUVDEUVD-2026-20309

| CVE-2026-39647 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 Patchstack GHSA-878h-x39v-9rfh
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 21:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20309
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.

AnalysisAI

Server-Side Request Forgery (SSRF) in Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin versions up to 5.11 allows unauthenticated remote attackers to forge requests to internal or external systems with high attack complexity, affecting confidentiality and integrity of data accessible from the server. EPSS scoring of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity (5.4), and no active exploitation has been confirmed; patch availability status requires vendor verification.

Technical ContextAI

This vulnerability exploits CWE-918 (Server-Side Request Forgery), a web application flaw where the server processes attacker-controlled input to make unintended HTTP or network requests. The Sonaar MP3 Audio Player is a WordPress plugin (CPE: cpe:2.3:a:sonaar:mp3_audio_player_for_music,_radio_&_podcast_by_sonaar) that likely handles audio URL fetching, playlist streaming, or remote content retrieval. Without proper input validation or URL scheme restrictions, an attacker can manipulate URL parameters to redirect server requests toward internal resources (localhost, private IP ranges), cloud metadata endpoints (AWS IMDSv1), or third-party services, bypassing network segmentation and authentication controls.

RemediationAI

Update Sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar to a version above 5.11 immediately upon release; consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability for exact patched version numbers. If an update is not yet available, implement Web Application Firewall (WAF) rules to block requests with suspicious URL schemes (file://, gopher://, dict://) in plugin parameters, restrict outbound server traffic to known-good domains via network egress filtering, and disable the plugin if it is non-critical. Verify patch status with Sonaar and Patchstack before rolling back to production.

Share

EUVD-2026-20309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy