Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstreaming-com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through <= 3.3.
Published: 2025-01-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that lets an attacker inject and persist malicious scripts within the WordPress Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com. Once injected, the code executes in the browser of any visitor who views the affected content, potentially allowing session hijacking, defacement, or the delivery of secondary payloads. The weakness is classified as CWE‑79 and requires the attacker to supply input that is not properly neutralized before rendering on the webpage.

Affected Systems

The affected product is the WordPress plugin Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com, controlled by the vendor yesstreamingdev. All releases up to and including version 3.3 are impacted. Users running any of these versions on a WordPress site are potentially susceptible.

Risk and Exploitability

The CVSS score of 5.9 denotes a medium severity exposure, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. An attacker can exploit the flaw by submitting malicious content that is stored by the plugin and later rendered to other site visitors, typically via the plugin's configuration or streaming comment fields. Given the stored nature of the XSS, the attack does not require elevated privileges beyond the ability to submit input to the plugin.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shoutcast and Icecast HTML5 Web Radio Player to the latest version; if a newer release (>=3.4) contains a fix, install immediately.
  • If an update is not available, disable the plugin or remove it from the site to eliminate the attack surface.
  • Restrict access to the plugin’s administrative functions to trusted, high‑privilege users only, thereby limiting the risk of an unauthorized user injecting malicious code.
  • Deploy a robust Content Security Policy that restricts inline script execution to mitigate the effect of any remaining XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3477 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YesStreaming.com Shoutcast and Icecast Internet Radio Hosting Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through 3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YesStreaming.com Shoutcast and Icecast Internet Radio Hosting Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through 3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstreaming-com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through <= 3.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YesStreaming.com Shoutcast and Icecast Internet Radio Hosting Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through 3.3.
Title WordPress Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:47:04.534Z

Reserved: 2025-01-16T11:31:13.711Z

Link: CVE-2025-23854

cve-icon Vulnrichment

Updated: 2025-01-17T17:17:33.221Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:25.357

Modified: 2026-06-17T08:57:37.387

Link: CVE-2025-23854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')