CVE-2026-8679: WordPress AudioIgniter Plugin Exposes Playlist Data
The AudioIgniter plugin for WordPress, in versions up to and including 2.0.2, is vulnerable to an Insecure Direct Object Reference (IDOR) identified as CVE-2026-8679. The National Vulnerability Database reports that the handle_playlist_endpoint() function, triggered via template_redirect, accepts a user-controlled playlist ID without proper authentication or status checks. Only the post_type is validated, leaving other crucial security gates open.
This flaw allows unauthenticated attackers to access track metadata for any playlist on a compromised site. This includes sensitive details like titles, artists, audio URLs, buy links, download URLs, and cover images, even for playlists marked as draft, private, pending, or trash. The National Vulnerability Database has assigned this vulnerability a CVSS score of 7.5 (HIGH), underscoring the significant risk it poses to data confidentiality.
The attacker’s calculus here is straightforward: low effort, high reward. They don’t need credentials or complex exploits; a simple, malformed request is enough to scrape potentially proprietary or sensitive content. For defenders, this is a glaring data leak, exposing content that was explicitly marked for limited access. It’s a fundamental breakdown of access control, allowing anyone to bypass intended privacy settings.
What This Means For You
- If your organization uses the AudioIgniter plugin on WordPress, you are exposed. This isn't just about public playlists; private, draft, and even deleted playlist metadata is vulnerable. Immediately audit your WordPress sites for AudioIgniter versions up to 2.0.2. Patching is critical to prevent unauthenticated information disclosure and protect content intended for internal or restricted access. Don't assume 'private' means secure with this plugin.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8679: WordPress AudioIgniter Playlist ID Enumeration
title: CVE-2026-8679: WordPress AudioIgniter Playlist ID Enumeration
id: scw-2026-05-22-ai-1
status: experimental
level: high
description: |
Detects attempts to access playlist data via the 'audioigniter_playlist_id' query parameter in the AudioIgniter plugin. This specific parameter is used by the vulnerable function to expose playlist metadata without authentication, indicating a potential exploitation of CVE-2026-8679.
author: SCW Feed Engine (AI-generated)
date: 2026-05-22
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8679/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-content/plugins/audio-igniter/'
cs-uri-query|contains:
- 'audioigniter_playlist_id='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8679 | IDOR | AudioIgniter plugin for WordPress versions <= 2.0.2 |
| CVE-2026-8679 | IDOR | Vulnerable function: handle_playlist_endpoint() |
| CVE-2026-8679 | IDOR | Vulnerable parameter: audioigniter_playlist_id query var |
| CVE-2026-8679 | IDOR | Vulnerable endpoint: /audioigniter/playlist/{id}/ rewrite rule |
| CVE-2026-8679 | Information Disclosure | Disclosure of playlist track metadata (titles, artists, audio URLs, buy links, download URLs, cover images) from draft, private, pending, or trash status playlists. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 22, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form &
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due...