CVE-2024-13157

The MP3 Audio Player – Music Player, Podcast Player & Radio plugin for WordPress (up to version 5.9.3) contains a stored cross-site scripting vulnerability in its Podcast RSS Feed functionality. The flaw stems from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious data to be embedded in the RSS feed output [1].

Exploitation requires an authenticated user with at minimum contributor-level access. The attacker can inject arbitrary web scripts (e.g., JavaScript) into a podcast feed entry. When any user—including administrators—visits a page that renders the manipulated feed, the injected script executes within the context of the victim's session [1].

Successful exploitation enables an attacker to perform actions such as stealing session cookies, defacing pages, or redirecting users to malicious sites. Since the script executes in the browser of any visitor to the affected page, the impact can spread to all users of the WordPress site [1].

As of publication, a patched version has not been indicated for this specific CVE. Users should apply any available updates from the plugin's developer and consider limiting contributor-level accounts. The vulnerability has an CVSS v3 score of 6.4, reflecting a medium severity [1].