Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Sonaar MP3 Audio Player Plugin Leaks Private Posts
CVE-2026-1219
Summary
The Sonaar MP3 Audio Player plugin for WordPress has a security issue where attackers can see private posts without permission. This is a problem because sensitive information might be exposed. Update to version 5.11 or later to fix this issue.
Original title
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' d...
Original description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
nvd CVSS3.1
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/...
- https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/...
- https://plugins.trac.wordpress.org/changeset/3453076/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a53...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026