CVE-2026-39647

MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 5.11 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
5.12
Patched in
86d
Time to patch

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.11. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.11
PublishedFebruary 15, 2026
Last updatedMay 11, 2026

What Changed in the Fix

Changes introduced in v5.12

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-39647 (SSRF in MP3 Audio Player by Sonaar) ## 1. Vulnerability Summary The **MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar** plugin for WordPress is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)** in versions up to and…

Show full research plan

Vulnerability Research Plan: CVE-2026-39647 (SSRF in MP3 Audio Player by Sonaar)

1. Vulnerability Summary

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 5.11. The vulnerability exists because the plugin provides a public endpoint intended to load playlist data (JSON or RSS feeds) from a user-supplied URL without sufficient validation or restriction to trusted domains.

2. Attack Vector Analysis

  • Endpoint: The site root /?load=playlist.json or /?action=srmp3_get_playlist (The ?load=playlist.json parameter is explicitly handled in the constructor).
  • Vulnerable Parameter: playlist_url (inferred) or url.
  • Authentication: Unauthenticated (No WordPress login required).
  • Preconditions: The plugin must be active. No specific settings or posts are strictly required as the check is in the class constructor/init phase.

3. Code Flow

  1. Entry Point: In includes/class-sonaar-music-widget.php, the __construct() method registers a closure on the srmp3player_after_register_post_type hook (Line 49).
  2. Trigger: This hook (likely fired during init or wp_loaded) checks if $_GET['load'] is set to playlist.json (Line 51).
  3. Vulnerable Sink: If the condition is met, it calls $this->print_playlist_json() (Line 52).
  4. SSRF Execution: Inside print_playlist_json() (not fully visible in snippets, but inferred by the ?load logic), the plugin retrieves a URL parameter (most likely playlist_url), passes it to wp_remote_get(), and echoes the response body to the browser.

4. Nonce Acquisition Strategy

Based on the code in includes/class-sonaar-music-widget.php, the ?load=playlist.json check occurs directly in the action handler registered during construction:

// includes/class-sonaar-music-widget.php:49
add_action('srmp3player_after_register_post_type', function () {
    $this->sr_playlist_cpt =  (defined( 'SR_PLAYLIST_CPT' )) ? SR_PLAYLIST_CPT : 'sr_playlist';
    if ( isset($_GET['load']) && $_GET['load'] == 'playlist.json' ) {     
        $this->print_playlist_json();
    }
});

Conclusion: No nonce is required for this specific unauthenticated entry point. The check is performed globally on every page load if the specific GET parameter is present.

5. Exploitation Strategy

The goal is to force the WordPress server to make a request to an internal service or external controlled URL and return the results.

Step-by-Step Plan:

  1. External OOB Check: Request a URL on an external listener to confirm the server makes the outbound request.
  2. Internal Probe: Attempt to access an internal resource (e.g., the WordPress site itself or an internal service like AWS metadata).

Payloads:

  • Action: GET
  • URL: http://<target-site>/?load=playlist.json&playlist_url=<attacker-url>
  • Alternative Parameter: If playlist_url fails, try url or feed.

HTTP Request Example:

GET /?load=playlist.json&playlist_url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0
Connection: close

6. Test Data Setup

No complex setup is required because the vulnerability is in the initialization code of the widget class.

  1. Install and activate mp3-music-player-by-sonaar version 5.11.
  2. Ensure the plugin is active via wp plugin is-active mp3-music-player-by-sonaar.

7. Expected Results

  • Successful Exploit: The response body will contain the content of the remote resource specified in playlist_url. For example, if playlist_url=http://www.google.com, the response will be the HTML of Google's homepage.
  • Response Headers: The Content-Type should likely be application/json or text/html depending on how print_playlist_json sets headers.

8. Verification Steps

  1. Check Output: Inspect the HTTP response body from the http_request tool.
  2. Verify Outbound Connection: If using a collaborator/listener, check for an incoming request from the WordPress server's IP.
  3. Confirm Unauthenticated: Run the request without any session cookies or WordPress authentication headers.

9. Alternative Approaches

If ?load=playlist.json does not work as expected:

  1. AJAX Endpoint: Check if wp_ajax_nopriv_srmp3_get_playlist exists.
  2. Shortcode Extraction: If the plugin requires a valid id or post_id for some logic:
    • Create a playlist: wp post create --post_type=sr_playlist --post_title="Test Playlist" --post_status=publish.
    • Find the ID: wp post list --post_type=sr_playlist.
    • Try: /?load=playlist.json&id=<ID>&playlist_url=....
  3. Parameter Fuzzing: If playlist_url is incorrect, try common Sonaar parameters found in the widget() function: rss_feed, import_file, feed, or feed_url.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.