CVE-2025-53564 Overview
CVE-2025-53564 is a reflected Cross-Site Scripting (XSS) vulnerability in the LambertGroup HTML5 Radio Player WPBakery Page Builder Addon for WordPress. The flaw stems from improper neutralization of input during web page generation [CWE-79] in the lbg_radio_player_addon_visual_composer component. All versions up to and including 2.5 are affected. An unauthenticated attacker can craft a malicious URL that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser session within the context of the vulnerable site.
Critical Impact
Attackers can hijack authenticated sessions, steal credentials, deface pages, or redirect site visitors to malicious destinations through crafted links targeting WordPress administrators.
Affected Products
- LambertGroup HTML5 Radio Player WPBakery Page Builder Addon (lbg_radio_player_addon_visual_composer)
- All plugin versions from n/a through 2.5
- WordPress sites using the WPBakery Page Builder ecosystem with this addon installed
Discovery Timeline
- 2025-08-20 - CVE-2025-53564 published to the National Vulnerability Database (NVD)
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-53564
Vulnerability Analysis
The vulnerability is a reflected XSS issue classified under [CWE-79]. The plugin accepts user-controlled input through request parameters and echoes that input into rendered HTML responses without proper sanitization or output encoding. Because the payload is reflected directly back to the browser, an attacker can inject HTML and JavaScript that executes in the victim's session context.
The scope changes to a different security context (S:C), meaning injected scripts can affect resources beyond the vulnerable component itself, including the broader WordPress site DOM. Successful exploitation requires user interaction (UI:R), typically achieved through phishing emails or malicious links shared in forums, social media, or other vectors.
Root Cause
The root cause is missing input validation and output encoding in the addon's request handlers. Parameters consumed by the WPBakery shortcode renderer are not escaped before being included in HTML output. Standard WordPress sanitization functions such as esc_attr(), esc_html(), and wp_kses() are not applied to untrusted inputs.
Attack Vector
The attack is conducted over the network with no authentication required. An attacker crafts a URL containing a malicious payload in a vulnerable parameter and delivers it to a target through phishing or social engineering. When the victim opens the link, the payload reflects into the response and executes JavaScript in the victim's browser. If the victim is an authenticated WordPress administrator, the attacker can perform privileged actions such as creating accounts, modifying content, or planting persistent backdoors.
No verified public proof-of-concept exists at the time of writing. See the Patchstack WordPress Vulnerability Report for advisory details.
Detection Methods for CVE-2025-53564
Indicators of Compromise
- Web server access logs showing requests to pages containing the HTML5 Radio Player shortcode with URL-encoded <script>, javascript:, onerror=, or onload= payloads in query parameters
- Unexpected administrator accounts, modified plugin or theme files, or new scheduled tasks in WordPress following suspicious link clicks
- Browser console errors or outbound requests to unfamiliar domains from sessions originating on pages that embed the vulnerable addon
Detection Strategies
- Inspect HTTP request logs for parameters containing reflected payload patterns such as %3Cscript%3E, onmouseover=, or base64-encoded JavaScript directed at URLs that render the radio player addon
- Use a Web Application Firewall (WAF) with OWASP Core Rule Set (CRS) signatures for reflected XSS to flag suspicious query strings
- Correlate referrer headers from external sites with successful 200 responses on pages containing the addon to identify likely phishing-driven exploitation
Monitoring Recommendations
- Enable WordPress audit logging to track administrator actions, user creation, and plugin or theme modifications
- Monitor outbound DNS and HTTP traffic from administrator workstations for connections to attacker-controlled domains
- Establish alerting on anomalous session activity, such as administrator sessions originating from new IP addresses immediately after clicking external links
How to Mitigate CVE-2025-53564
Immediate Actions Required
- Disable or remove the HTML5 Radio Player WPBakery Page Builder Addon until an updated version above 2.5 is confirmed available from LambertGroup
- Audit recent administrator activity, user accounts, and plugin or theme file changes for evidence of exploitation
- Rotate WordPress administrator credentials and invalidate active sessions if the plugin was active on a publicly accessible site
Patch Information
At the time of NVD publication, no fixed version above 2.5 is referenced in the advisory. Site operators should consult the Patchstack WordPress Vulnerability Report and the LambertGroup vendor page for updated release information before redeploying the plugin.
Workarounds
- Deploy a WAF rule set that blocks reflected XSS patterns in query parameters targeting WordPress endpoints rendering the radio player addon
- Apply a strict Content Security Policy (CSP) header that disallows inline scripts and restricts script sources to trusted origins
- Restrict administrative access to WordPress through IP allowlists, multi-factor authentication, and dedicated admin browsers to limit the impact of phishing-delivered XSS payloads
# Example Nginx CSP header to mitigate reflected XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
