What the vulnerability does
01Description
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
Explanation of Vulnerability in Simple Terms
02Summary
AudioIgniter Music Player versions 2.0.2 and earlier contain an authorization flaw that exposes sensitive audio data. An attacker on the network can read protected music files and metadata without authentication. No user interaction is required. Update to a version newer than 2.0.2 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read protected audio files and metadata without logging in.
Potential impact on your site
04Site Impact
Unauthorized users can access all protected music content and player metadata.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 22, 2026
CVE published
May 22, 2026
Record updated