Server-Side Request Forgery Vulnerability in MP3 Audio Player by Sonaar
CVE-2026-1249

5MEDIUM

Key Information:

Vendor

WordPress
Status
Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar
Vendor
CVE Published:
14 February 2026

What is CVE-2026-1249?

The MP3 Audio Player – Music Player, Podcast Player & Radio plugin developed by Sonaar is prone to a Server-Side Request Forgery (SSRF) vulnerability in versions 5.3 through 5.10. This vulnerability is triggered via the 'load_lyrics_ajax_callback' function, allowing authenticated users with author-level access or higher to send requests to external URLs originating from the web application. Such exploit capabilities can potentially enable attackers to access, modify, or extract information from internal services, presenting a significant risk to the integrity of sensitive data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 <= 5.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3453076/mp3-...

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kenneth Dunn
JSON
.