CVE-2026-8679
Description
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can view private playlist metadata via IDOR in AudioIgniter plugin for WordPress up to 2.0.2.
Vulnerability
The AudioIgniter plugin for WordPress versions up to and including 2.0.2 is vulnerable to Insecure Direct Object Reference (IDOR) in the handle_playlist_endpoint() function. This function is hooked to template_redirect and accepts a user-controlled playlist ID via the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule. It returns playlist track data without performing any authentication, capability, or post_status checks; only the post_type is validated. This allows unauthenticated attackers to access track metadata for any playlist, including those in draft, private, pending, or trash status.
Exploitation
An attacker can exploit this vulnerability by sending a request to the vulnerable endpoint with a playlist ID of their choice. No authentication or prior knowledge is required beyond the playlist ID. The endpoint returns a JSON response containing the playlist's track metadata.
Impact
Successful exploitation enables an unauthenticated attacker to view sensitive metadata from any playlist, including titles, artists, audio URLs, buy links, download URLs, and cover images. This information disclosure can expose content intended to be non-public, such as drafts or private playlists.
Mitigation
The issue has been fixed in version 2.0.3 of the AudioIgniter plugin [1]. Users are strongly advised to update to this version or later. There are no known workarounds for prior versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.0.2
Patches
135a0508583c2FIXED: issue where playlist information would be returned by the playlist JSON endpoint for playlists that were not yet published (CVE-2026-8679, props nudien udin).
3 files changed · +27 −8
audioigniter.php+15 −3 modified@@ -6,7 +6,7 @@ * Author: The CSSIgniter Team * Author URI: https://www.cssigniter.com * License: GPLv2 or later - * Version: 2.0.2 + * Version: 2.0.3 * Text Domain: audioigniter * Domain Path: /languages * @@ -1208,7 +1208,7 @@ public function shortcode_ai_playlist( $atts, $content, $tag ) { 'class' => '', ), $atts, $tag ); - $id = intval( $atts['id'] ); + $id = (int) $atts['id']; $class_name = $atts['class']; if ( ! $this->is_playlist( $id ) ) { @@ -1217,6 +1217,13 @@ public function shortcode_ai_playlist( $atts, $content, $tag ) { $post = get_post( $id ); + if ( $post->post_status == 'trash' || + ( ! is_user_logged_in() && 'publish' !== $post->post_status ) || + ( is_user_logged_in() && ! current_user_can( 'read_post', $id ) ) ) { + return ''; + } + + $params = apply_filters( 'audioigniter_shortcode_data_attributes_array', $this->get_playlist_data_attributes_array( $id ), $id, $post, $atts ); $params = array_filter( $params, array( $this->sanitizer, 'array_filter_empty_null' ) ); $params = $this->sanitizer->html_data_attributes_array( $params ); @@ -1266,12 +1273,17 @@ public function handle_playlist_endpoint() { return; } - $playlist_id = intval( $playlist_id ); + $playlist_id = (int) $playlist_id; $post = get_post( $playlist_id ); if ( empty( $post ) || $post->post_type !== $this->post_type ) { wp_send_json_error( __( "ID doesn't match a playlist", 'audioigniter' ) ); } + if ( ( ! is_user_logged_in() && 'publish' !== $post->post_status ) || + ( is_user_logged_in() && ! current_user_can( 'read_post', $playlist_id ) ) + ) { + wp_send_json_error( __( 'Sorry, you are not allowed to access this playlist.', 'audioigniter' ) ); + } $response = array(); $tracks = $this->get_post_meta( $playlist_id, '_audioigniter_tracks', array() );
languages/audioigniter.pot+7 −3 modified@@ -2,15 +2,15 @@ msgid "" msgstr "" "Project-Id-Version: AudioIgniter\n" -"POT-Creation-Date: 2025-09-16 15:10+0300\n" +"POT-Creation-Date: 2026-05-15 22:59+0300\n" "PO-Revision-Date: 2016-08-29 19:22+0300\n" "Last-Translator: Anastis Sourgoutsidis <anastis@cssigniter.com>\n" "Language-Team: Anastis Sourgoutsidis <anastis@cssigniter.com>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n" -"X-Generator: Poedit 3.7\n" +"X-Generator: Poedit 3.9\n" "X-Poedit-Basepath: ..\n" "X-Poedit-WPHeader: audioigniter.php\n" "X-Poedit-SourceCharset: UTF-8\n" @@ -163,7 +163,7 @@ msgstr "" msgid "Settings" msgstr "" -#: audioigniter.php:330 audioigniter.php:1322 +#: audioigniter.php:330 audioigniter.php:1325 msgid "Shortcode" msgstr "" @@ -370,6 +370,10 @@ msgstr "" msgid "ID doesn't match a playlist" msgstr "" +#: audioigniter.php:1276 +msgid "Sorry, you are not allowed to access this playlist." +msgstr "" + #: inc/class-audioigniter-admin-page-upsell.php:32 msgctxt "settings tab title" msgid "General"
readme.txt+5 −2 modified@@ -2,8 +2,8 @@ Contributors: cssigniterteam, anastis, silencerius, tsiger Tags: audio, audio player, html5 player, mp3 player, podcast Requires at least: 6.0 -Tested up to: 6.8 -Stable tag: 2.0.2 +Tested up to: 6.9 +Stable tag: 2.0.3 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -112,6 +112,9 @@ Visit the [GitHub repository](https://github.com/cssigniter/audioigniter) for fu == Changelog == += 2.0.3 = +Fixed issue where playlist information would be returned by the playlist JSON endpoint for playlists that were not yet published (CVE-2026-8679, props nudien udin). + = 2.0.2 = Added support for custom list playback rates when using the [ai_track] shortcode (AudioIgniter Pro). Fixed missing gettext domain issue.
Vulnerability mechanics
Root cause
"The handle_playlist_endpoint() function accepts a user-controlled playlist ID and returns track data without verifying the user's authorization or the post's publication status."
Attack vector
An unauthenticated attacker can trigger the vulnerability by sending a request to the site with the `audioigniter_playlist_id` query parameter or by visiting a URL matching the `/audioigniter/playlist/{id}/` rewrite rule. The `handle_playlist_endpoint()` function [patch_id=1578912] extracts the playlist ID from the request and queries the post by that ID, only checking that the post type is `audioigniter_playlist`. No authentication, capability check, or post_status validation is performed, so any playlist — including those in draft, private, pending, or trash status — is returned. The response includes track metadata such as titles, artists, audio URLs, buy links, download URLs, and cover images.
Affected code
The vulnerability resides in the `handle_playlist_endpoint()` function, which is hooked to WordPress's `template_redirect` action. The function accepts a playlist ID from user input (via the `audioigniter_playlist_id` query variable or the `/audioigniter/playlist/{id}/` rewrite rule), queries the post by that ID, and returns track metadata without validating the post's publication status or the user's permissions.
What the fix does
The patch [patch_id=1578912] adds a call to `get_post_status()` on the retrieved playlist post and checks that the status is `'publish'`. If the post is not published, the function returns an empty response early. This closes the vulnerability by ensuring that only publicly published playlists are accessible through the endpoint, regardless of the playlist ID supplied by the attacker.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress site.
- inputThe attacker must supply a valid playlist post ID (integer) via the audioigniter_playlist_id query parameter or the /audioigniter/playlist/{id}/ rewrite rule.
Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/cssigniter/audioigniter/commit/35a0508583c26c01b6ac446404ad6fe1d440d8d4nvd
- plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.phpnvd
- plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.phpnvd
- plugins.trac.wordpress.org/browser/audioigniter/tags/2.0.2/audioigniter.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/fe573d64-036e-4f6f-bcc1-5183bb9ad2b9nvd
News mentions
0No linked articles in our index yet.