[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdE-ormyEEavkzTa9lIiGIhA_kss2N4CNBM9onBtrF4g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-8679","audioigniter-music-player-unauthenticated-insecure-direct-object-reference-to-audioigniterplaylistid-parameter","AudioIgniter Music Player \u003C= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter","The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the \u002Faudioigniter\u002Fplaylist\u002F{id}\u002F rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.","audioigniter",null,"\u003C=2.0.2","2.0.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-21 19:33:26","2026-05-22 07:50:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffe573d64-036e-4f6f-bcc1-5183bb9ad2b9?source=api-prod",1,[22,23,24],"audioigniter.php","languages\u002Faudioigniter.pot","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-8679 (AudioIgniter Music Player)\n\n## 1. Vulnerability Summary\nThe **AudioIgniter Music Player** plugin (\u003C= 2.0.2) contains an **Insecure Direct Object Reference (IDOR)** vulnerability within its playlist data endpoint. The function `handle_playlist_endpoint()`, which is hooked to `template_redirect`, allows unauthenticated users to retrieve metadata for any playlist by providing its ID. Because the function only validates that the requested ID corresponds to the `ai_playlist` post type and fails to verify the `post_status` (e.g., draft, private, trash) or user permissions, it exposes sensitive track information (URLs, titles, download links) that should not be publicly accessible.\n\n## 2. Attack Vector Analysis\n*   **Endpoints**: \n    1.  `\u002F?audioigniter_playlist_id=[ID]` (Query parameter)\n    2.  `\u002Faudioigniter\u002Fplaylist\u002F[ID]\u002F` (Rewrite rule)\n*   **Parameter**: `audioigniter_playlist_id`\n*   **Authentication**: None required (Unauthenticated).\n*   **Preconditions**: \n    *   The plugin must be active.\n    *   A playlist must exist (even if it is a draft, private, or in the trash).\n*   **Severity**: High (7.5) - This allows full disclosure of track metadata and audio source URLs for restricted content.\n\n## 3. Code Flow\n1.  **Registration**: In `audioigniter.php`, the method `init()` (line 144) calls `register_playlist_endpoint()`, which registers the `audioigniter_playlist_id` query variable and a corresponding rewrite rule.\n2.  **Hooking**: In `audioigniter.php`, the method `frontend_init()` (line 197) hooks `handle_playlist_endpoint()` to the `template_redirect` action.\n3.  **Processing (Inferred)**: When a request is made:\n    *   `template_redirect` triggers `handle_playlist_endpoint()`.\n    *   The function retrieves the ID from `get_query_var( 'audioigniter_playlist_id' )`.\n    *   It calls `get_post( $id )`.\n    *   It checks `if ( $post->post_type === 'ai_playlist' )`.\n    *   **Vulnerability**: It proceeds to output the playlist's track data (stored in post meta) as JSON and `exit`s, without checking if `post_status` is `'publish'`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `handle_playlist_endpoint()` function performs **no authentication or capability checks**. This includes a lack of nonce verification. \n\n*   **Nonce Requirement**: None. The endpoint is intended to be a public data source for the player's JavaScript component, but it fails to restrict access to non-public playlists.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve track metadata from a **Draft** playlist as an unauthenticated user.\n\n1.  **Preparation**: Identify or create a playlist in `draft` status.\n2.  **Request**: Send a GET request to the site using the `audioigniter_playlist_id` parameter.\n3.  **Extraction**: Parse the JSON response to confirm track titles, audio URLs, and download links are present.\n\n### Targeted Request\n```http\nGET \u002F?audioigniter_playlist_id=[PLAYLIST_ID] HTTP\u002F1.1\nHost: localhost:8080\nUser-Agent: Mozilla\u002F5.0\nAccept: application\u002Fjson\n```\n\n## 6. Test Data Setup\nUse `wp-cli` to create the vulnerable state:\n\n1.  **Create a Draft Playlist**:\n    ```bash\n    wp post create --post_type=ai_playlist --post_status=draft --post_title=\"Secret Album 2026\" --post_content=\"Draft content\"\n    ```\n    *Note the returned ID (e.g., `123`).*\n\n2.  **Add Track Metadata**:\n    The plugin stores tracks in serialized post meta. Based on the source fields (lines 540-622), the metadata usually resides in a key like `_audioigniter_tracks`.\n    ```bash\n    wp post meta update 123 _audioigniter_tracks '[{\"title\":\"Unreleased Track\",\"artist\":\"The Attacker\",\"audio\":\"https:\u002F\u002Fexample.com\u002Fsecret.mp3\",\"download_url\":\"https:\u002F\u002Fexample.com\u002Fdownload-secret\"}]' --format=json\n    ```\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body similar to:\n```json\n[\n  {\n    \"title\": \"Unreleased Track\",\n    \"artist\": \"The Attacker\",\n    \"audio\": \"https:\u002F\u002Fexample.com\u002Fsecret.mp3\",\n    \"download_url\": \"https:\u002F\u002Fexample.com\u002Fdownload-secret\",\n    ...\n  }\n]\n```\nThe response confirms that metadata for a `draft` post is leaked.\n\n## 8. Verification Steps\n1.  **Confirm Post Status**: Use WP-CLI to verify the playlist is indeed not published.\n    ```bash\n    wp post get [PLAYLIST_ID] --field=post_status\n    # Expected: draft\n    ```\n2.  **Verify Unauthenticated Access**: Ensure the HTTP request was made without any session cookies or Authorization headers.\n\n## 9. Alternative Approaches\nIf the query parameter method fails due to specific server configurations:\n*   **Rewrite Rule**: Try the pretty permalink structure:\n    `GET \u002Faudioigniter\u002Fplaylist\u002F[ID]\u002F HTTP\u002F1.1`\n*   **Internal Query**: If the endpoint is restricted by security plugins, try accessing via `admin-ajax.php` if the plugin registered an alternative handler there (though the description points specifically to `template_redirect`).\n*   **Metadata Hunting**: If track data isn't in the response, check if the response returns a list of attachment IDs, which could then be queried individually. (The description implies metadata is returned directly).","The AudioIgniter plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via its playlist data endpoint. Unauthenticated attackers can retrieve sensitive track metadata, including audio URLs and download links, for playlists that are in draft, private, or trash status by providing a numeric ID through the 'audioigniter_playlist_id' parameter.","\u002F\u002F audioigniter.php:1266\n\tpublic function handle_playlist_endpoint() {\n\t\t$playlist_id = get_query_var( 'audioigniter_playlist_id' );\n\n\t\tif ( empty( $playlist_id ) ) {\n\t\t\treturn;\n\t\t}\n\n\t\t$playlist_id = intval( $playlist_id );\n\t\t$post        = get_post( $playlist_id );\n\n\t\tif ( empty( $post ) || $post->post_type !== $this->post_type ) {\n\t\t\twp_send_json_error( __( \"ID doesn't match a playlist\", 'audioigniter' ) );\n\t\t}\n\n\t\t$response = array();\n\t\t$tracks   = $this->get_post_meta( $playlist_id, '_audioigniter_tracks', array() );\n\n\t\t\u002F\u002F ... [processing tracks] ...\n\n\t\twp_send_json( $response );\n\t}\n\n---\n\n\u002F\u002F audioigniter.php:1217\n\t\t$post = get_post( $id );\n\n\t\t$params = apply_filters( 'audioigniter_shortcode_data_attributes_array', $this->get_playlist_data_attributes_array( $id ), $id, $post, $atts );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faudioigniter\u002F2.0.2\u002Faudioigniter.php\t2025-09-16 12:14:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faudioigniter\u002F2.0.3\u002Faudioigniter.php\t2026-05-15 21:01:12.000000000 +0000\n@@ -6,7 +6,7 @@\n  * Author: The CSSIgniter Team\n  * Author URI: https:\u002F\u002Fwww.cssigniter.com\n  * License: GPLv2 or later\n- * Version: 2.0.2\n+ * Version: 2.0.3\n  * Text Domain: audioigniter\n  * Domain Path: \u002Flanguages\n  *\n@@ -1208,7 +1208,7 @@\n \t\t\t'class' => '',\n \t\t), $atts, $tag );\n \n-\t\t$id         = intval( $atts['id'] );\n+\t\t$id         = (int) $atts['id'];\n \t\t$class_name = $atts['class'];\n \n \t\tif ( ! $this->is_playlist( $id ) ) {\n@@ -1217,6 +1217,13 @@\n \n \t\t$post = get_post( $id );\n \n+\t\tif ( $post->post_status == 'trash' ||\n+\t\t     ( ! is_user_logged_in() && 'publish' !== $post->post_status ) ||\n+\t\t     ( is_user_logged_in() && ! current_user_can( 'read_post', $id ) ) ) {\n+\t\t\treturn '';\n+\t\t}\n+\n+\n \t\t$params = apply_filters( 'audioigniter_shortcode_data_attributes_array', $this->get_playlist_data_attributes_array( $id ), $id, $post, $atts );\n \t\t$params = array_filter( $params, array( $this->sanitizer, 'array_filter_empty_null' ) );\n \t\t$params = $this->sanitizer->html_data_attributes_array( $params );\n@@ -1266,12 +1273,17 @@\n \t\t\treturn;\n \t\t}\n \n-\t\t$playlist_id = intval( $playlist_id );\n+\t\t$playlist_id = (int) $playlist_id;\n \t\t$post        = get_post( $playlist_id );\n \n \t\tif ( empty( $post ) || $post->post_type !== $this->post_type ) {\n \t\t\twp_send_json_error( __( \"ID doesn't match a playlist\", 'audioigniter' ) );\n \t\t}\n+\t\tif ( ( ! is_user_logged_in() && 'publish' !== $post->post_status ) ||\n+\t\t\t( is_user_logged_in() && ! current_user_can( 'read_post', $playlist_id ) )\n+\t\t) {\n+\t\t\twp_send_json_error( __( 'Sorry, you are not allowed to access this playlist.', 'audioigniter' ) );\n+\t\t}\n \n \t\t$response = array();\n \t\t$tracks   = $this->get_post_meta( $playlist_id, '_audioigniter_tracks', array() );","To exploit this vulnerability, an unauthenticated attacker can perform the following steps: \n1. Identify the target site using the AudioIgniter plugin. \n2. Craft a GET request to the site's root using the query parameter 'audioigniter_playlist_id' followed by the ID of a suspected non-public playlist (e.g., `\u002F?audioigniter_playlist_id=123`). Alternatively, use the permalink structure `\u002Faudioigniter\u002Fplaylist\u002F[ID]\u002F` if rewrite rules are active. \n3. No authentication, nonces, or cookies are required for this request. \n4. Analyze the JSON response, which will contain the serialized track metadata (including audio source URLs, download links, and artist names) even if the playlist's post status is 'draft', 'private', or 'pending'.","gemini-3-flash-preview","2026-06-04 21:53:07","2026-06-04 21:53:30",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faudioigniter\u002Ftags\u002F2.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faudioigniter.2.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faudioigniter\u002Ftags\u002F2.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faudioigniter.2.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faudioigniter\u002Ftags"]