Cross-site Scripting Vulnerability in LambertGroup Apollo Player
CVE-2025-48168

7.1HIGH

Key Information:

Vendor: WordPress
Status: Apollo - Sticky Full Width Html5 Audio Player
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-48168?

The Apollo - Sticky Full Width HTML5 Audio Player by LambertGroup contains a Cross-site Scripting (XSS) vulnerability that allows an attacker to inject malicious scripts into web pages. This reflected XSS flaw can be exploited by sending specially crafted requests to the affected player, potentially compromising user data and web application integrity. Users of versions from n/a to 3.4 should consider implementing remediation strategies to mitigate exposure to this security issue.

Affected Version(s)

Apollo - Sticky Full Width HTML5 Audio Player <= 3.4

References

https://patchstack.com/database/wordpress/plugin/lbg-audi...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
May 15, 2025

Credit

João Pedro S Alcântara (Kinorth) (Patchstack Alliance)