What the vulnerability does
01Description
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Explanation of Vulnerability in Simple Terms
02Summary
The MP3 Audio Player plugin for WordPress contains an information disclosure vulnerability affecting versions 4.0 through 5.10. An attacker on the network can read sensitive data without authentication or user interaction. The vulnerability exposes limited confidential information through the plugin's handling of requests. Site administrators should update to a version newer than 5.10.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site without logging in.
Potential impact on your site
04Site Impact
Confidential information may be exposed to unauthenticated visitors.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
February 20, 2026
Record updated