{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39647", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:33.159Z", "dateUpdated": "2026-04-08T08:30:33.159Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mp3-music-player-by-sonaar", "product": "MP3 Audio Player for Music, Radio & Podcast by Sonaar", "vendor": "sonaar", "versions": [{"lessThanOrEqual": "5.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.046Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.<p>This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:33.159Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11."}], "id": "CVE-2026-39647", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:35.620", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mp3-music-player-by-sonaar/vulnerability/wordpress-mp3-audio-player-for-music-radio-podcast-by-sonaar-plugin-5-11-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.11]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "MP3 Audio Player for Music, Radio & Podcast by Sonaar", "source": "cna", "vendor": "sonaar"}, "product": "mp3_audio_player_for_music,_radio_&_podcast", "vendor": "sonaar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:06:56.643702+00:00", "value": {"mitigation_remediation": ["Upgrade the MP3 Audio Player plugin to a version newer than 5.11", "If upgrade is not immediately possible, disable the plugin until a patch is applied", "Consider restricting external URL access via server firewall or plugin settings if available"], "summary": {"action": "Apply Patch", "impact": "Server-Side Request Forgery that can expose internal resources and sensitive data"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites running the Sonaar MP3 Audio Player for Music, Radio & Podcast plugin version 5.11 or earlier. No specific platform versions are listed, so any WordPress installation deploying the plugin within this version range is vulnerable, regardless of the underlying operating system.", "description_and_impact": "Server-Side Request Forgery vulnerability in the MP3 Audio Player for Music, Radio & Podcast by Sonaar allows attackers to craft malicious URLs that the plugin will request, potentially revealing internal resources, exposing sensitive data, or facilitating further attacks. The vulnerability originates from unsanitized handling of external URLs. The impact is elevated confidentiality and integrity risks for systems hosting the plugin, with possible denial of service if excessive requests are executed.", "risk_and_exploitability": "The CVSS score is not provided, but SSRF is commonly exploitable over the network. EPSS score is not available, and the vulnerability is not in the KEV catalog. The attack vector is likely remote, requiring authentication or privilege to upload a malicious URL, but the description does not explicitly state prerequisites. Given the potential for internal network probing, the risk should be considered significant for exposed WordPress instances."}}}}, "created": "2026-04-08T19:41:28.792504+00:00", "updated": "2026-04-09T08:22:04.957252+00:00", "vendors": ["sonaar", "sonaar$PRODUCT$mp3_audio_player_for_music,_radio_&_podcast", "wordpress", "wordpress$PRODUCT$wordpress"]}