CVE-2026-8679
Published: 22 May 2026
Summary
CVE-2026-8679 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CWE-639) in versions up to and including 2.0.2. The issue resides in the handle_playlist_endpoint() function hooked to template_redirect, which accepts a user-controlled playlist ID through the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule, validates only the post_type, and returns track data without any authentication, capability, or post_status verification.
Unauthenticated attackers can exploit the flaw remotely with low complexity to retrieve full track metadata—including titles, artists, audio URLs, buy links, download URLs, and cover images—from any playlist, including those in draft, private, pending, or trash status. The vulnerability carries a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no required privileges or user interaction.
A patch addressing the missing authorization checks is referenced in the plugin commit 35a0508583c26c01b6ac446404ad6fe1d440d8d4, with the vulnerable code paths documented in the WordPress plugin repository at audioigniter.php lines 1257, 1263, and 1315; the Wordfence advisory further details the affected endpoint.
The EPSS score remains flat at 0.2768 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31421
Vulnerability details
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or…
more
the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated IDOR in public WordPress plugin enables remote exploitation of web application to access unauthorized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.