– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1219:
This vulnerability is an unauthenticated Insecure Direct Object Reference (IDOR) in the MP3 Audio Player by Sonaar WordPress plugin, affecting versions 4.0 through 5.10. The flaw allows attackers to retrieve the content of private posts via a missing access control check in an AJAX handler.

Root Cause: The vulnerability exists in the `load_track_note_ajax_callback()` function within the main plugin file `sonaar-music.php`. The function at lines 175-195 (pre-patch) accepts user-controlled `post-id` and `track-position` parameters via the `load_track_note_ajax` AJAX action. The function directly passes these parameters to `get_post()` and `get_post_meta()` without verifying the requesting user has permission to access the specified post. The `wp_ajax_nopriv_` hook registration permits unauthenticated access.

Exploitation: Attackers send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `load_track_note_ajax`. They supply a target `post-id` parameter containing the numeric ID of a private post and a `track-position` parameter (often 0 for single-track posts). The request must include a valid `nonce` parameter matching `sonaar_music_ajax_nonce`. The plugin then returns the post content or track description.

Patch Analysis: The patch in `sonaar-music.php` lines 175-195 adds multiple security controls. It validates `post-id` using `absint()` and checks for a zero value. It introduces a post status check: if the post status is not ‘publish’, the function verifies the user is logged in and has the `read_post` capability for that specific post ID via `current_user_can(‘read_post’, $post_id)`. The patch also replaces `sanitize_text_field()` with `wp_kses_post()` for output sanitization and uses `absint()` on the track position.

Impact: Successful exploitation allows unauthenticated attackers to read the full content of private WordPress posts, including draft posts, pending reviews, and password-protected posts. This exposes sensitive information intended for limited audiences, violating confidentiality. The CVSS 5.3 score reflects medium severity due to the attack complexity requiring a valid nonce and the impact being limited to information disclosure.