CVE-2025-54056

The Responsive HTML5 Audio Player PRO With Playlist plugin for WordPress (lbg-audio2-html5) versions up to 3.5.8 contain a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into web pages.

Exploitation requires user interaction — a privileged user must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. No authentication is required to initiate the attack, but the target must perform an action for the payload to execute. The attack is considered moderately dangerous and is expected to be part of mass-exploit campaigns targeting thousands of websites regardless of their traffic or popularity [1].

Successful exploitation enables an attacker to inject malicious scripts that may redirect visitors, display advertisements, or deliver other HTML payloads, which execute when users visit the affected site [1]. This could lead to data theft, session hijacking, or defacement.

Users are strongly advised to update the plugin to version 3.5.9 or later, which patches the vulnerability [1]. For those unable to update immediately, Patchstack provides a mitigation rule to block attacks until the update is applied [1].