Security Alert Summary
The AudioIgniter plugin for WordPress contains an insecure direct object reference that can expose playlist track metadata to unauthenticated users. The plugin accepted a user-controlled playlist identifier and returned playlist data without checking authentication, capabilities, or post_status, allowing access to titles, artists, audio URLs, buy links, download URLs, and cover images for any playlist on the site.
CVE Details
- CVE ID: CVE-2026-8679
- Affected component: AudioIgniter plugin for WordPress
- Affected versions: versions up to, and including, 2.0.2
- Published: May 22, 2026 at 9:16:32 AM
- Last modified: May 22, 2026 at 9:16:32 AM
- CVSS v3.1: Base score 7.5 – HIGH – Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / Privileges / User interaction: No authentication required; Privileges required: None (PR:N); User interaction: None (UI:N)
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE: CWE-639
Technical Details
The vulnerability is an insecure direct object reference in the AudioIgniter plugin. The plugin’s handle_playlist_endpoint() function, which is hooked to template_redirect, accepts a user-controlled playlist identifier via the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule. The function returns playlist track data after validating only the post_type. It does not perform authentication checks, capability checks, or verify the post_status of the playlist post.
Because the code lacks post_status validation and access control, unauthenticated requests can retrieve metadata for playlists regardless of whether they are published, draft, private, pending, or in trash. The exposed metadata elements listed in the description include titles, artists, audio URLs, buy links, download URLs, and cover images.
How This Could Impact Your Website
In a typical small business site, the site owner or editor may create playlists that include tracks not intended for public release, while internal staff or external contractors manage content. An unauthenticated attacker could enumerate playlist IDs and retrieve track metadata for playlists in non-public states, exposing internal or pre-release content.
Practical consequences include disclosure of contributor or internal content details and publicly accessible media URLs that could be used for targeted phishing or social engineering against staff or contributors. For example, exposed audio URLs or buy links could allow an attacker to identify contributors and craft convincing messages to them or to customers.
If you
re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and lower-privileged roles.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and access logs for unusual requests to playlist endpoints or repeated attempts to enumerate IDs.
If you
like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://github.com/cssigniter/audioigniter/commit/35a0508583c26c01b6ac446404ad6fe1d440d8d4
- https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1257
- https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1263
- https://plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.php#L1315
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fe573d64-036e-4f6f-bcc1-5183bb9ad2b9?source=cve
