Stored Cross-Site Scripting Vulnerability in Music Player Plugin for WordPress
CVE-2025-5340
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 June 2025
What is CVE-2025-5340?
The Music Player for Elementor plugin for WordPress has a vulnerability that allows authenticated attackers with Contributor-level access or higher to execute arbitrary web scripts on users' browsers. This occurs through the insufficient input sanitization and output escaping of the 'album_buy_url' parameter, impacting all versions up to and including 2.4.6. When the malicious script is injected into a page, it executes when any user visits that page, potentially leading to unauthorized actions or data exposure.
Affected Version(s)
Music Player for Elementor – Audio Player & Podcast Player * <= 2.4.6