Cyber Resilience

CVE-2026-8679

High

Published: 22 May 2026

Published
22 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0114 62.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8679 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CWE-639) in versions up to and including 2.0.2. The issue resides in the handle_playlist_endpoint() function hooked to template_redirect, which accepts a user-controlled playlist ID through the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule, validates only the post_type, and returns track data without any authentication, capability, or post_status verification.

Unauthenticated attackers can exploit the flaw remotely with low complexity to retrieve full track metadata—including titles, artists, audio URLs, buy links, download URLs, and cover images—from any playlist, including those in draft, private, pending, or trash status. The vulnerability carries a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no required privileges or user interaction.

A patch addressing the missing authorization checks is referenced in the plugin commit 35a0508583c26c01b6ac446404ad6fe1d440d8d4, with the vulnerable code paths documented in the WordPress plugin repository at audioigniter.php lines 1257, 1263, and 1315; the Wordfence advisory further details the affected endpoint.

The EPSS score remains flat at 0.2768 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or…

more

the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated IDOR in public WordPress plugin enables remote exploitation of web application to access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68044Shared CWE-639
CVE-2026-30230Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-33356Shared CWE-639
CVE-2025-40805Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2026-24379Shared CWE-639
CVE-2026-24136Shared CWE-639
CVE-2026-22234Shared CWE-639
CVE-2025-14844Shared CWE-639

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References