Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
Sonaar WordPress Plugin Allows Attackers to Access Internal Services
CVE-2026-1249
Summary
The Sonaar WordPress plugin for music players has a security flaw that lets attackers with special permissions access sensitive information on your website. This could allow them to see or change data that's not meant to be public. You should update the plugin to the latest version to fix this issue.
Original title
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' f...
Original description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
nvd CVSS3.1
5.0
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026