CVE-2026-1219

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.

PUBLISHED Reserved 2026-01-20 | Published 2026-02-19 | Updated 2026-02-20 | Assigner Wordfence

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Timeline

Credits

Kenneth Dunn finder

References

www.wordfence.com/...-d543-4d46-a534-e403dff4f425?source=cve

plugins.trac.wordpress.org/...aar/tags/5.10/sonaar-music.php

plugins.trac.wordpress.org/.../class-sonaar-music-public.php

plugins.trac.wordpress.org/changeset/3453076/

cve.org (CVE-2026-1219)

nvd.nist.gov (CVE-2026-1219)

Download JSON