AudioIgniter WordPress Plugin Unauthenticated Insecure Direct Object Reference Vulnerability

A vulnerability allowing for insecure direct object reference has been identified in the AudioIgniter plugin for WordPress, affecting versions through 2.0.2. The issue arises in the handle_playlist_endpoint() function, which is linked to the template_redirect action. This function accepts a user-controlled playlist ID via the audioigniter_playlist_id query variable or through the /audioigniter/playlist/{id}/ rewrite rule. It returns playlist track data without proper authentication, capability checks, or validation of post status, only verifying the post type. As a result, unauthenticated attackers can access track metadata, including titles, artists, audio URLs, purchase links, download URLs, and cover images, for any playlist on the site, regardless of its status (draft, private, pending, or trash).

Impact

Exploitation of this vulnerability allows unauthenticated users to access and view sensitive track metadata from any playlist on the site, including those not publicly available.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the AudioIgniter plugin installed, using either the audioigniter_playlist_id query variable or the /audioigniter/playlist/{id}/ rewrite rule. The request can be made without authentication, and it will return track data for the specified playlist ID, including metadata for tracks in draft, private, pending, or trash status.

Remediation

Users are advised to update the AudioIgniter plugin to version 2.0.3 or later, where this vulnerability has been patched.