CVE-2024-56266
Published: 02 January 2025
Summary
CVE-2024-56266 is a medium-severity Missing Authorization (CWE-862) vulnerability in Sonaar Mp3 Audio Player For Music\, Radio \& Podcast. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-56266 is a missing authorization vulnerability in the WordPress plugin "MP3 Audio Player for Music, Radio & Podcast by Sonaar" (slug: mp3-music-player-by-sonaar). Classified under CWE-862 (Missing Authorization), it enables accessing functionality not properly constrained by access control lists (ACLs). The issue affects all versions from n/a through 5.8 inclusive. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.
The vulnerability can be exploited by an authenticated attacker with low privileges, such as a standard subscriber on the affected WordPress site. Exploitation requires no user interaction and occurs over the network with low attack complexity. Successful attacks result in low-level impacts to confidentiality, integrity, and availability, allowing the attacker to access restricted plugin functionalities without proper authorization checks.
Patchstack's advisory documents this broken access control vulnerability specifically in version 5.8 and earlier of the WordPress MP3 Audio Player plugin, providing details at https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-plugin-5-8-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53064
Vulnerability details
Missing Authorization vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <=…
more
5.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables exploitation via authenticated low-priv accounts (T1190) and supports privilege escalation to restricted plugin functions (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for access to system resources, directly addressing the missing authorization checks that allow low-privilege users to access restricted plugin functionalities.
Mandates timely identification, reporting, and remediation of flaws like this missing authorization vulnerability through patching the affected plugin versions.
Enforces least privilege to restrict low-privilege authenticated users such as subscribers from performing actions intended for higher-privilege roles, providing defense in depth against broken access controls.