CVE-2023-54351

HIGH

WordPress Sonaar Music Plugin 4.7 Stored XSS via Comments

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54351. PoCs published by Furkan Karaarslan.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the WordPress Sonaar Music Plugin 4.7 by injecting a malicious script into the comment section of a playlist page. The payload is executed when the comment is rendered, confirming the vulnerability.

Description

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.

Exploits (1)

exploitdb WORKING POC
by Furkan Karaarslan · textwebappsphp
https://www.exploit-db.com/exploits/51739

This exploit demonstrates a stored XSS vulnerability in the WordPress Sonaar Music Plugin 4.7 by injecting a malicious script into the comment section of a playlist page. The payload is executed when the comment is rendered, confirming the vulnerability.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Sonaar Music Plugin 4.7
No auth needed
Prerequisites: WordPress with Sonaar Music Plugin 4.7 installed · Ability to post comments on a playlist page
devstral-2 · analyzed Jun 08, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-51739
https://www.exploit-db.com/exploits/51739
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Sonaar Music Plugin 4.7 Stored XSS via Comments
https://www.vulncheck.com/advisories/wordpress-sonaar-music-plugin-stored-xss-via-comments

Scores

CVSS v3 7.2
EPSS 0.0007
EPSS Percentile 22.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Sonaar/Sonaar Music Plugin 4.7
Published Jun 08, 2026
Tracked Since Jun 08, 2026