WordPress Plugin Vulnerabilities

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
mp3-music-player-by-sonaar
Fixed in 5.11

References

CVE
CVE-2026-1249
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/261aad1e-43fc-4927-a97d-85a001863023

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5 (medium)

Miscellaneous

Original Researcher
kr0d
Verified
No
WPVDB ID
cf61f183-b0e7-438b-b58f-eabe8b0010c3

Timeline

Publicly Published
2026-02-13 (about 1 month ago)
Added
2026-02-13 (about 1 month ago)
Last Updated
2026-02-14 (about 1 month ago)

Other

Published
Title
Published
2024-05-16
Title
Cost Calculator Builder Pro < 3.1.73 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-04-16
Title
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 4.4.8 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
Published
2026-03-20
Title
Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field
Published
2024-03-29
Title
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Authenticated (Author+) Server-Side Request Forgery
Published
2025-05-07
Title
Easy Replace Image < 3.5.1 - Authenticated (Contributor+) Server-Side Request Forgery