MP3 Audio Player – Music Player, Podcast Player & Radio...

5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Basic Information

ID CVE-2026-1249

Source Wordfence

Published Feb 14, 2026 at 08:26

Affected Product

Vendor sonaar

Product MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Version 5.3

Affected Versions sonaar MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "The MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
    "published": "2026-02-14T08:26:46.021Z",
    "modified": "2026-02-14T08:26:46.021Z",
    "type": "cve",
    "title": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/261aad1e-43fc-4927-a97d-85a001863023?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3453076/mp3-music-player-by-sonaar/trunk/sonaar-music.php",
    "id": "CVE-2026-1249",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "sonaar MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar 5.3",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MP3 Audio Player \u2013 Music Player, Podcast Player & Radio by Sonaar",
    "version": "5.3",
    "vendor": "sonaar",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 – 5.10 – Authenticated (Author+) Server-Side Request Forgery_CVE-2026-1249