CVE-2025-48163: SHOUT HTML5 Radio Player XSS Vulnerability

CVE-2025-48163 Overview

CVE-2025-48163 is a reflected Cross-Site Scripting (XSS) vulnerability in the LambertGroup SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support WordPress plugin (lbg-audio8-html5-radio-ads). The flaw affects all versions up to and including 3.5.4 and stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Attackers can craft malicious URLs that execute arbitrary JavaScript in the browser of any user who interacts with the link. Successful exploitation can lead to session hijacking, credential theft, and unauthorized actions performed in the victim's authenticated context.

Critical Impact

Attackers can execute arbitrary JavaScript in a victim's browser session by tricking authenticated users into visiting a crafted URL, enabling account compromise and content manipulation on affected WordPress sites.

Affected Products

• LambertGroup SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support
• Plugin slug: lbg-audio8-html5-radio-ads
• All versions from initial release through 3.5.4

Discovery Timeline

• 2025-08-20 - CVE-2025-48163 published to the National Vulnerability Database
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-48163

Vulnerability Analysis

The vulnerability is a reflected XSS issue classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. The SHOUT HTML5 Radio Player plugin accepts user-supplied input through HTTP request parameters and reflects that input back into the rendered HTML response without applying proper output encoding or input sanitization.

Because the attack vector is network-based and requires user interaction, exploitation typically occurs through phishing links or malicious referrer chains. The scope is changed, meaning script execution can affect resources beyond the vulnerable component, including authenticated WordPress sessions. An attacker requires no privileges on the target site to craft a working payload.

Root Cause

The plugin fails to sanitize or encode user-controlled parameters before embedding them in HTML output. When a request contains script content in a vulnerable parameter, the server reflects that content directly into the response page, where the browser interprets it as executable JavaScript.

Attack Vector

An attacker constructs a URL containing a JavaScript payload in a vulnerable query parameter handled by the plugin. The attacker delivers the link through phishing email, malicious advertisements, or social media. When a victim — particularly a logged-in WordPress administrator — clicks the link, the injected script executes in the context of the WordPress site, granting the attacker access to cookies, session tokens, and the Document Object Model. Technical specifics of the affected parameter are available in the Patchstack vulnerability advisory.

Detection Methods for CVE-2025-48163

Indicators of Compromise

• HTTP GET or POST requests to plugin endpoints containing URL-encoded <script>, javascript:, onerror=, or onload= patterns
• Unexpected outbound requests from administrator browsers to attacker-controlled domains following clicks on inbound links
• WordPress admin sessions performing unusual configuration changes shortly after URL-based interactions
• Web server access logs showing query strings with HTML entities or encoded angle brackets targeting lbg-audio8-html5-radio-ads paths

Detection Strategies

• Inspect web server and Web Application Firewall (WAF) logs for requests targeting the lbg-audio8-html5-radio-ads plugin path with suspicious payloads in parameters
• Deploy WAF rules that flag reflected XSS signatures including event handler attributes and inline script tags in query strings
• Monitor browser-based telemetry from endpoint agents for anomalous script execution on WordPress administrative pages

Monitoring Recommendations

• Enable verbose access logging on WordPress sites running the SHOUT plugin and forward logs to a centralized SIEM
• Alert on referrer headers originating from untrusted external domains pointing to plugin-handled URLs
• Track sudden changes to user accounts, plugin settings, or published content immediately after administrator login events

How to Mitigate CVE-2025-48163

Immediate Actions Required

• Identify all WordPress installations running the lbg-audio8-html5-radio-ads plugin version 3.5.4 or earlier
• Disable the plugin until a vendor-supplied patched version is available and verified
• Instruct administrators to avoid clicking unsolicited links to sites hosting the plugin and to log out of WordPress sessions when not in use
• Rotate WordPress administrator credentials and invalidate active sessions if exploitation is suspected

Patch Information

At the time of publication, the vendor advisory tracked through Patchstack lists all versions through 3.5.4 as affected. Review the Patchstack advisory for CVE-2025-48163 for the latest patched version and apply it as soon as it becomes available.

Workarounds

• Deploy a WAF with managed rule sets covering OWASP Top 10 XSS patterns and enable virtual patching for known WordPress plugin vulnerabilities
• Implement a strict Content Security Policy (CSP) header restricting inline script execution and limiting allowed script sources
• Restrict access to WordPress administrative paths by IP allowlist where operationally feasible
• Remove the plugin entirely if it is not business-critical and replace it with an actively maintained alternative

# Example nginx Content Security Policy header to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;