Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player lbg-audio5-html5-shoutcast_sticky allows Reflected XSS.This issue affects Sticky Radio Player: from n/a through <= 3.4.
Published: 2025-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Sticky Radio Player plugin contains an improper neutralization of input during page generation, which leads to a reflected cross‑site scripting vulnerability as defined by CWE‑79. A malicious actor can inject script code into requests that are reflected back in the plugin’s output, potentially allowing arbitrary JavaScript execution in the context of a visitor’s browser. The description does not explicitly state downstream effects, but it is inferred that executing JavaScript in the victim’s session could compromise session integrity or deface the site.

Affected Systems

The flaw affects the Sticky Radio Player plugin from LambertGroup for WordPress, impacting every release up to and including version 3.4. Administrators should confirm the installed version and upgrade if a later patched release exists.

Risk and Exploitability

The CVSS score of 7.1 signals a high potential impact, whereas the EPSS score of less than 1 % indicates a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalogue. The attack vector is inferred to be reflected, requiring a user to visit a crafted URL or submit malicious input that the plugin echoes back to the browser.

Generated by OpenCVE AI on May 1, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sticky Radio Player plugin to the latest available release that fixes the XSS flaw.
  • After updating, clear all site caches and rebuild cached pages to ensure no stale content containing the vulnerability is served.
  • If no patched version exists, remove the plugin from the WordPress installation to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 1, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17501 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player allows Reflected XSS. This issue affects Sticky Radio Player: from n/a through 3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player allows Reflected XSS. This issue affects Sticky Radio Player: from n/a through 3.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player lbg-audio5-html5-shoutcast_sticky allows Reflected XSS.This issue affects Sticky Radio Player: from n/a through <= 3.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00039}

Mon, 09 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player allows Reflected XSS. This issue affects Sticky Radio Player: from n/a through 3.4.
Title WordPress Sticky Radio Player plugin <= 3.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:06.885Z

Reserved: 2025-03-28T11:00:15.484Z

Link: CVE-2025-31426

cve-icon Vulnrichment

Updated: 2025-06-09T17:16:33.472Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:38.417

Modified: 2026-04-23T15:27:48.280

Link: CVE-2025-31426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')