CVE-2024-56266
Published: 02 January 2025
Description
Missing Authorization vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.8.
Security Summary
CVE-2024-56266 is a missing authorization vulnerability in the WordPress plugin "MP3 Audio Player for Music, Radio & Podcast by Sonaar" (slug: mp3-music-player-by-sonaar). Classified under CWE-862 (Missing Authorization), it enables accessing functionality not properly constrained by access control lists (ACLs). The issue affects all versions from n/a through 5.8 inclusive. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.
The vulnerability can be exploited by an authenticated attacker with low privileges, such as a standard subscriber on the affected WordPress site. Exploitation requires no user interaction and occurs over the network with low attack complexity. Successful attacks result in low-level impacts to confidentiality, integrity, and availability, allowing the attacker to access restricted plugin functionalities without proper authorization checks.
Patchstack's advisory documents this broken access control vulnerability specifically in version 5.8 and earlier of the WordPress MP3 Audio Player plugin, providing details at https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-plugin-5-8-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)