External risk intelligence

WordPress plugin exposes playlist details attackers can access

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2026-8679

The AudioIgniter WordPress plugin can expose private playlist details, like song titles and download links, to anyone on the internet. This could help attackers gather information about your site's content.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-8679

The vulnerability exists within a WordPress plugin that creates an internet-facing web endpoint. The affected function is accessible to any unauthenticated visitor navigating to the site's playlist URLs, making the vulnerable surface public by default on any deployment of this plugin.

PCI scan relevance

PCI Relevance for CVE-2026-8679

Yes

CVE-2026-8679 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to access sensitive playlist metadata, potentially leading to a PCI ASV scan failure due to data exposure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This issue affects the AudioIgniter WordPress plugin, allowing unauthenticated visitors to access sensitive track metadata. This means that details like song titles, artist names, and download links for any playlist, even those intended to be private or unpublished, can be exposed.

  • Sensitive playlist data is exposed.
  • Affects any site using the plugin.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by crafting a specific URL to retrieve sensitive data about any playlist on a WordPress site. This allows them to see track titles, artists, and importantly, direct audio file URLs for playlists, regardless of their draft or private status.

  • Publicly accessible endpoint.
  • No authentication required.
  • Direct access to playlist data.

Live Threat

Current exploitation, exposure, and threat context

Attackers may exploit this vulnerability to extract sensitive playlist metadata from unauthenticated endpoints. While direct data theft is unlikely, the exposed information could facilitate further attacks or reconnaissance. Currently, there is no indication this CVE has been weaponized, and its utility for widespread exploitation appears limited.

  • No known exploitation in the wild.
  • No public exploits are available.
  • The vulnerability is in a WordPress plugin.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking all traffic to the `/audioigniter/playlist/{id}/` endpoint and any requests containing the `audioigniter_playlist_id` query parameter. Teams should actively search logs for evidence of unauthorized access to playlist data and inventory all WordPress sites using the AudioIgniter plugin. If the plugin is actively exploited, consider temporarily disabling it.

  • Block playlist endpoint access.
  • Monitor logs for suspicious playlist requests.
  • Inventory affected WordPress sites.

Frequently asked questions

What is the AudioIgniter WordPress plugin and its function?

AudioIgniter is a WordPress plugin that acts as a music player, enabling users to create and embed audio playlists on their websites. It supports various audio formats and can stream radio shows, offering features for custom track details such as buy or download links.

What security vulnerability does CVE-2026-8679 represent?

CVE-2026-8679 is an Insecure Direct Object Reference (IDOR) vulnerability. This type of weakness occurs when an application exposes internal object identifiers without sufficient access controls, allowing attackers to manipulate these identifiers to access unauthorized data or perform restricted actions.

How can an unauthenticated attacker exploit CVE-2026-8679?

An unauthenticated attacker can exploit this flaw by accessing the handle_playlist_endpoint() function within the AudioIgniter plugin. This function accepts a user-controlled playlist ID without proper checks, enabling attackers to view track metadata and audio URLs for any playlist, including those in draft or private status.

What is the relevance of CVE-2026-8679, considering Halo Surface Signal data?

Halo classifies this CVE as 'Very likely' to be exploited because the vulnerability is in a WordPress plugin with an internet-facing web endpoint. The affected function is publicly accessible to unauthenticated visitors, making the vulnerability a public risk on any site using this plugin.

What practical steps should be taken to respond to this vulnerability?

To mitigate this vulnerability, it is recommended to block all traffic to the `/audioigniter/playlist/{id}/` endpoint and requests containing the `audioigniter_playlist_id` query parameter. Monitoring logs for suspicious playlist access and inventorying all WordPress sites using the AudioIgniter plugin are also advised. If the plugin is actively exploited, consider temporarily disabling it.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished