CVE-2026-8679

Name of the Vulnerable Software and Affected Versions AudioIgniter versions prior to 2.0.3

Description The AudioIgniter plugin for WordPress contains an Insecure Direct Object Reference (IDOR) issue. This occurs because the handle playlist endpoint() function (hooked to template redirect) accepts a user-controlled playlist ID through the audioigniter playlist id query variable or the '/audioigniter/playlist/{id}/' endpoint and returns track data without verifying authentication, capabilities, or post status, validating only the post type. This allows unauthenticated attackers to access track metadata, including titles, artists, audio URLs, purchase links, download URLs, and cover images, for any playlist, including those marked as draft, private, pending, or trash.

Recommendations Update to a version later than 2.0.2.