Skip to main content

Audioigniter Music Player

1 CVEs product

Monthly

CVE-2026-8679 HIGH POC This Week

Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy