CVE-2025-53564

The HTML5 Radio Player - WPBakery Page Builder Addon plugin for WordPress (versions up to and including 2.5) suffers from a reflected Cross-Site Scripting (XSS) vulnerability. This arises from improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary JavaScript or HTML into a response.

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a crafted link or submitting a malicious form. The attack does not require authentication to initiate—only the victim's interaction—and can be performed over HTTP. The injected payload executes in the context of the victim's browser session on the affected WordPress site.

Successful exploitation allows the attacker to execute arbitrary scripts, which can be used to redirect visitors, serve advertisements, steal session cookies, or deface the site. The CVSS v3 base score of 7.1 reflects the moderate to high impact given the potential for broad, automated mass-exploit campaigns targeting thousands of websites.

A patched version, 2.5.2, has been released to resolve the issue. Users are strongly advised to update immediately. Those unable to update should apply virtual patching via a firewall rule (e.g., Patchstack’s mitigation rule) or seek assistance from their hosting provider [1].