MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar < 5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode | CVE 2024-10268 | Plugin Vulnerabilities

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sonaar_audioplayer shortcode in all versions up to, and including, 5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

mp3-music-player-by-sonaar

Fixed in 5.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/861d0218-0f0f-4299-a0ff-854832348457

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

42a7c729-5c1d-4a93-8989-243c034bee08

Timeline

Publicly Published

2024-11-18 (about 1 year ago)

Added

2024-11-18 (about 1 year ago)

Last Updated

2024-11-19 (about 1 year ago)

Other

Published

Title

Published

2025-01-16

Title

ChatGPT Open AI Images & Content for WooCommerce <= 2.2.0 - Reflected Cross-Site Scipting

Published

2024-10-15

Title

Cooked Pro < 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-01

Title

Markup Markdown < 3.20.10 - Contributor+ Stored XSS

Published

2025-06-16

Title

Ultimate Blocks < 3.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-04-03

Title

WP Last Modified Info < 1.6.6 - Authenticated Stored XSS