CVE-2026-8679 — AI Deep Analysis Summary

🚨 **Nature**: Insecure Direct Object Reference (IDOR) vulnerability. 💥 **Impact**: Attackers can obtain sensitive metadata for **all** playlists on the website (titles, artists, audio URLs, purchase/download links, cover…

🔍 **CWE**: CWE-639 (Insecure Direct Object Reference). 🛠️ **Vulnerable Code**: The `handle_playlist_endpoint()` function only validates `post_type`, but **completely lacks** authentication, permission checks, and post st…

📦 **Component**: WordPress plugin **AudioIgniter Music Player**. 📉 **Version**: **2.0.2 and earlier**.

🕵️ **Attacker Capabilities**: 1. **Unauthorized Access**: No authentication required. 2. **Data Leakage**: Retrieve track details for arbitrary playlists. 3.…

📉 **Low Barrier to Entry**. ✅ **No authentication required**. ✅ **No configuration required**. ✅ **Simple Attack**: Construct an HTTP request directly by passing the `audioigniter_playlist_id` parameter or accessing the …

📄 **PoC**: The `pocs` field in the provided data is empty; no public ready-made exploits are currently available. 🌍 **Exploitation in the Wild**: No reports found.…

🔎 **Self-Check Method**: 1. Check the WP plugin list to confirm if AudioIgniter is installed. 2. Verify if the version is <= 2.0.2. 3.…

🛡️ **Official Fix**: Yes, it has been fixed. 📝 **Patch**: Refer to GitHub commit `35a0508583c26c01b6ac446404ad6fe1d440d8d4`. It is recommended to upgrade to the latest version immediately.

🚧 **Temporary Mitigation**: 1. **Upgrade** the plugin to the latest version (preferred). 2. If unable to upgrade, consider **disabling** the plugin. 3.…

⚡ **Priority: High**. 📊 **CVSS**: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Critical/High Impact). 💡 **Reason**: Sensitive data (including potential commercial purchase links and audio sources) can be leaked without authe…