CVE-2025-48163: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in LambertGroup's SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support WordPress plugin, affecting versions through 3.5.4. The vulnerability was identified on June 12, 2025, and publicly disclosed on July 17, 2025. This security flaw was assigned the identifier CVE-2025-48163 and involves improper neutralization of input during web page generation (Debian Tracker, Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 7.1 (Medium severity). The attack vector is characterized as Network (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and User interaction (UI:R). The scope is Changed (S:C) with Low confidentiality impact (C:L) and Low integrity impact (I:L), and No availability impact (A:N) (Patchstack).

The vulnerability could allow malicious actors to inject harmful scripts, including redirects and unwanted advertisements, into the affected website. These malicious payloads would be executed when visitors access the compromised site, potentially leading to unauthorized data access or manipulation of user interactions (Patchstack).

The vulnerability has been fixed in version 3.5.5 of the plugin. Site administrators are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate the vulnerability by blocking potential attacks (Patchstack).