CVE-2026-8679— AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter
Possible ATT&CK Techniques 1AI
T1135 · Network Share DiscoveryAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| cssigniterteam | AudioIgniter Music Player | ≤ 2.0.2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8679
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| cssigniterteam | AudioIgniter Music Player | 0 ~ 2.0.2 | - |
II. Public POCs for CVE-2026-8679
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 16793 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-8679
请登录查看更多情报信息。
Patch · 1
IV. Related Vulnerabilities
Same weakness: CWE-639
- CVE-2026-39967
TypeBot: Cross-Typebot Result Data Access via Missing typebo - CVE-2026-28444
Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace - CVE-2026-9248
Devolutions Server越权漏洞影响2025及2026版本 - CVE-2026-8347
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-a - CVE-2026-3473
Improper file ownership validation in the Boards API allows
V. Comments for CVE-2026-8679
No comments yet