cbcvebase.
CVE-2026-8679
published 2026-05-22

CVE-2026-8679: The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the…

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.51%
71.2th percentile
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.

Affected

1 ranges
VendorProductVersion rangeFixed in
cssigniterteamaudioigniter_music_player<= 2.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/?audioigniter_playlist_id={{playlist_id}}
path/audioigniter/playlist/{id}/
  • Probe for unauthenticated IDOR by first identifying a page containing 'audioigniter_playlist_id', extracting the numeric playlist ID, then requesting /?audioigniter_playlist_id=<id> and checking for HTTP 200, Content-Type: application/json, and JSON body fields 'title', 'audio', and 'subtitle'.
  • Fingerprint vulnerable WordPress installations by searching for pages whose body contains the string 'audioigniter_playlist_id' (FOFA query: body="audioigniter_playlist_id").
  • The vulnerable function handle_playlist_endpoint() is hooked to template_redirect; no authentication, capability, or post_status check is performed — only post_type is validated, so any numeric post ID of type audioigniter_playlist is accessible unauthenticated.
  • Successful exploitation returns a JSON response containing track metadata fields including titles, artists, audio URLs, buy links, download URLs, and cover images — even for playlists in draft, private, pending, or trash status.
  • ·The Nuclei template uses a two-step flow: step 1 must succeed (HTTP 200 + body contains 'audioigniter_playlist_id') before step 2 executes. The playlist ID is dynamically extracted via regex 'audioigniter_playlist_id=(\d+)' from the homepage body, so a valid ID must be present in the page source for the template to fire.
  • ·Affected versions are up to and including 2.0.2 of the AudioIgniter WordPress plugin; versions beyond 2.0.2 are not confirmed vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.