CVE-2025-48163

A reflected cross-site scripting (XSS) vulnerability exists in the LambertGroup SHOUT - HTML5 Radio Player With Ads plugin for WordPress, version 3.5.4 and earlier. The root cause is improper neutralization of user-supplied input during web page generation, allowing arbitrary script injection without adequate sanitization or escaping [1].

This vulnerability is classified as reflected XSS and requires user interaction. An attacker can trigger the flaw by persuading a privileged user (e.g., an administrator) to click a crafted link or visit a specially prepared page. The attack does not require authentication to initiate, but successful exploitation depends on the targeted user performing an action, such as clicking a malicious link or submitting a form [1].

Successful exploitation enables an attacker to inject malicious scripts into the website's output, which then execute in the context of the victim's browser. Potential impacts include redirecting users to malicious sites, injecting unwanted advertisements, or delivering other HTML payloads. This could compromise the integrity and trustworthiness of the affected WordPress site [1].

The vendor has released version 3.5.5 to resolve this vulnerability. Users are strongly advised to update immediately. Those unable to update should consider applying a mitigation rule, such as the one provided by Patchstack, to block attack attempts until the patch can be applied. The vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns [1].