CVE-2025-5340: 
WordPress vulnerability analysis and mitigation

The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 2.4.6. The vulnerability exists in the 'albumbuyurl' parameter due to insufficient input sanitization and output escaping (NVD). This security issue was discovered and disclosed on June 3, 2025.

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). The vulnerability exists in the albumbuyurl parameter where insufficient input sanitization and output escaping allow for injection of malicious scripts (NVD, WordPress Plugin).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 2.4.7 of the Music Player for Elementor plugin. Users should update to this version immediately. The update includes security improvements and additional features such as dynamic capability to the custom purchase link (WordPress Changeset).