CVE-2025-32235

Vulnerability

The MP3 Audio Player for Music, Radio & Podcast by Sonaar (plugin slug mp3-music-player-by-sonaar) contains a Missing Authorization vulnerability. The flaw resides in the plugin's access control mechanisms, which are incorrectly configured, permitting exploitation of security levels without proper validation. This issue affects all versions from n/a through 5.9.4 [1]. The plugin is installed on WordPress sites with WooCommerce support and is available via the WordPress plugin repository.

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the plugin's endpoints that should require authorization but do not. No authentication or special network position beyond standard HTTP access is required. The attacker does not need user interaction. The exploitation sequence involves leveraging the incorrectly configured access control to reach functionality that should be restricted, relying on the missing permission checks.

Impact

Successful exploitation allows the attacker to perform unauthorized actions, potentially including modifying plugin settings, accessing sensitive data, or altering audio player configurations. The CIA impact primarily involves integrity and confidentiality breaches, depending on the protected functionality exposed. The attacker does not gain full system compromise but can operate with the privileges of the plugin's access level.

Mitigation

The vendor has released version 5.12 of the plugin, which includes a fix for this vulnerability [1]. Users should update to version 5.12 or later. For sites running version 5.9.4 or earlier, immediate upgrade is recommended. No workarounds are published. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.