CVE-2025-48168
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Apollo - Sticky Full Width HTML5 Audio Player lbg-audio5-html5-shoutcast-sticky allows Reflected XSS.This issue affects Apollo - Sticky Full Width HTML5 Audio Player: from n/a through <= 3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress Apollo plugin ≤3.4 allows attackers to inject scripts via improperly neutralized input.
The plugin Apollo - Sticky Full Width HTML5 Audio Player (lbg-audio5-html5-shoutcast-sticky) for WordPress versions up to and including 3.4 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1].
Attackers can exploit this issue by crafting a malicious link or form that, when clicked or submitted by a privileged user (such as an administrator), injects arbitrary HTML or JavaScript into the page. User interaction is required for successful exploitation [1].
The injected script can perform actions like redirecting visitors, displaying advertisements, or stealing session cookies. This could lead to defacement, phishing, or further compromise of the WordPress site [1]. The CVSS score is 7.1, reflecting moderate severity.
To mitigate the vulnerability, the vendor has released version 3.6.4 which includes a fix. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule for those unable to update right away [1]. Given that this vulnerability is expected to be used in mass-exploit campaigns, prompt action is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.