WP-Safety

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Security & Risk Analysis

wordpress.org/plugins/html5-audio-player

Maximize your WordPress site's potential with our versatile HTML5 Audio Player plugin. Seamlessly play .mp3, .wav, .ogg, and more audio files

10K active installs v2.5.3 PHP 7.1+ WP 5.2+ Updated Apr 9, 2026
audioaudio-playermp3-playerplayerpodcast
92
A · Safe
CVEs total6
Unpatched0
Last CVEDec 18, 2025
Plugin page Download
Safety Verdict

Is HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Safe to Use in 2026?

Generally Safe

Score 92/100

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Dec 18, 2025Updated 1mo ago
Risk Assessment

The "html5-audio-player" v2.5.3 plugin presents a mixed security posture. On the positive side, the code analysis shows good practices in several areas, including a high percentage of SQL queries using prepared statements and a substantial number of output escaping operations. The plugin also includes a respectable number of nonce and capability checks, indicating an awareness of common WordPress security vulnerabilities. However, the presence of one unprotected AJAX handler is a significant concern, as it represents a direct entry point for potential attackers to exploit without authentication. The vulnerability history is also a notable weakness, with a history of 6 CVEs, including one high-severity vulnerability, and common types like SSRF and XSS. While there are currently no unpatched vulnerabilities, this past trend suggests a recurring pattern of security flaws that require diligent patching and updates from users.

Key Concerns

  • Unprotected AJAX handler found
  • History of 6 CVEs, including 1 high severity
  • Bundled Freemius v1.0 library
Vulnerabilities
6 published

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-13999high · 7.2Server-Side Request Forgery (SSRF)

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery

Dec 18, 2025 Patched in 2.5.2 (1d)
CVE-2025-39524medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Html5 Audio Player <= 2.2.28 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 2.3.0 (6d)
CVE-2024-37445medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Html5 Audio Player <= 2.2.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 28, 2024 Patched in 2.2.24 (5d)
CVE-2024-4398medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML5 Audio Player- Best WordPress Audio Player Plugin <= 2.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

May 9, 2024 Patched in 2.2.22 (1d)
CVE-2023-0170medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Html5 Audio Player <= 2.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 2.1.12 (376d)
CVE-2021-24412medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Html5 Audio Player <= 2.1.2 - Contributor+ Stored Cross-Site Scripting

Sep 20, 2021 Patched in 2.1.3 (855d)
Version History

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Release Timeline

v2.5.3Current
v2.5.2
v2.5.11 CVE
CVE-2025-13999
v2.5.01 CVE
CVE-2025-13999
v2.4.01 CVE
CVE-2025-13999
v2.3.31 CVE
CVE-2025-13999
v2.3.21 CVE
CVE-2025-13999
v2.3.11 CVE
CVE-2025-13999
v2.3.01 CVE
CVE-2025-13999
v2.2.282 CVEs
CVE-2025-13999 CVE-2025-39524
v2.2.272 CVEs
CVE-2025-13999 CVE-2025-39524
v2.2.262 CVEs
CVE-2025-13999 CVE-2025-39524
v2.2.252 CVEs
CVE-2025-13999 CVE-2025-39524
v2.2.242 CVEs
CVE-2025-13999 CVE-2025-39524
v2.2.194 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2024-37445 +1 more
v2.2.184 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2024-37445 +1 more
v2.2.144 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2024-37445 +1 more
v2.1.124 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2024-37445 +1 more
v2.1.65 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2023-0170 +2 more
v1.4.16 CVEs
CVE-2025-13999 CVE-2024-4398 CVE-2023-0170 +3 more
Code Analysis
Analyzed Mar 16, 2026

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
4 prepared
Unescaped Output
241
626 escaped
Nonce Checks
15
Capability Checks
11
File Operations
4
External Requests
0
Bundled Libraries
2

Bundled Libraries

TinyMCEFreemius1.0

SQL Query Safety

67% prepared6 total queries

Output Escaping

72% escaped867 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

6 flows
csf_export (admin\codestar-framework\functions\actions.php:62)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Attack Surface

Entry Points17
Unprotected1

AJAX Handlers 8

authwp_ajax_csf-get-iconsadmin\codestar-framework\functions\actions.php:50
authwp_ajax_csf-exportadmin\codestar-framework\functions\actions.php:87
authwp_ajax_csf-importadmin\codestar-framework\functions\actions.php:123
authwp_ajax_csf-resetadmin\codestar-framework\functions\actions.php:150
authwp_ajax_csf-chosenadmin\codestar-framework\functions\actions.php:189
authwp_ajax_h5ap_get_stream_datainc\Core\Ajax.php:9
noprivwp_ajax_h5ap_get_stream_datainc\Core\Ajax.php:10
authwp_ajax_ewic_grab_slider_list_ajaxtinymce\ewic-tinymce.php:36

Shortcodes 9

[audio_player] inc\Services\Shortcode.php:13
[bypass_audio_player] inc\Services\Shortcode.php:14
[h5ap_radio_player] inc\Services\Shortcode.php:15
[h5ap_search_form] inc\Services\ShortcodePro.php:14
[audio_player] inc\Services\ShortcodePro.php:15
[bypass_audio_player] inc\Services\ShortcodePro.php:16
[single_button] inc\Services\ShortcodePro.php:17
[h5ap_radio_player] inc\Services\ShortcodePro.php:18
[player] shortcode\player.php:2
WordPress Hooks 93
actionwp_enqueue_scriptsadmin\codestar-framework\classes\abstract.class.php:20
actionadmin_menuadmin\codestar-framework\classes\admin-options.class.php:107
actionadmin_bar_menuadmin\codestar-framework\classes\admin-options.class.php:108
actionnetwork_admin_menuadmin\codestar-framework\classes\admin-options.class.php:112
filteradmin_footer_textadmin\codestar-framework\classes\admin-options.class.php:432
actionadd_meta_boxes_commentadmin\codestar-framework\classes\comment-options.class.php:38
actionedit_commentadmin\codestar-framework\classes\comment-options.class.php:39
actioncustomize_registeradmin\codestar-framework\classes\customize-options.class.php:44
actioncustomize_save_afteradmin\codestar-framework\classes\customize-options.class.php:45
actionwp_enqueue_scriptsadmin\codestar-framework\classes\customize-options.class.php:49
actionadd_meta_boxesadmin\codestar-framework\classes\metabox-options.class.php:52
actionsave_postadmin\codestar-framework\classes\metabox-options.class.php:53
actionedit_attachmentadmin\codestar-framework\classes\metabox-options.class.php:54
actionwp_nav_menu_item_custom_fieldsadmin\codestar-framework\classes\nav-menu-options.class.php:32
actionwp_update_nav_menu_itemadmin\codestar-framework\classes\nav-menu-options.class.php:33
filterwp_edit_nav_menu_walkeradmin\codestar-framework\classes\nav-menu-options.class.php:35
actionadmin_initadmin\codestar-framework\classes\profile-options.class.php:32
actionshow_user_profileadmin\codestar-framework\classes\profile-options.class.php:44
actionedit_user_profileadmin\codestar-framework\classes\profile-options.class.php:45
actionpersonal_options_updateadmin\codestar-framework\classes\profile-options.class.php:47
actionedit_user_profile_updateadmin\codestar-framework\classes\profile-options.class.php:48
actionafter_setup_themeadmin\codestar-framework\classes\setup.class.php:77
actioninitadmin\codestar-framework\classes\setup.class.php:78
actionswitch_themeadmin\codestar-framework\classes\setup.class.php:79
actionadmin_enqueue_scriptsadmin\codestar-framework\classes\setup.class.php:80
actionwp_enqueue_scriptsadmin\codestar-framework\classes\setup.class.php:81
actionwp_headadmin\codestar-framework\classes\setup.class.php:82
filteradmin_body_classadmin\codestar-framework\classes\setup.class.php:83
actionadmin_footeradmin\codestar-framework\classes\shortcode-options.class.php:47
actioncustomize_controls_print_footer_scriptsadmin\codestar-framework\classes\shortcode-options.class.php:48
actionelementor/editor/before_enqueue_scriptsadmin\codestar-framework\classes\shortcode-options.class.php:59
actionelementor/editor/footeradmin\codestar-framework\classes\shortcode-options.class.php:60
actionelementor/editor/footeradmin\codestar-framework\classes\shortcode-options.class.php:61
actionenqueue_block_editor_assetsadmin\codestar-framework\classes\shortcode-options.class.php:258
actionmedia_buttonsadmin\codestar-framework\classes\shortcode-options.class.php:262
actionadmin_initadmin\codestar-framework\classes\taxonomy-options.class.php:41
actionadmin_footeradmin\codestar-framework\fields\icon\icon.php:41
actioncustomize_controls_print_footer_scriptsadmin\codestar-framework\fields\icon\icon.php:42
actionadmin_print_footer_scriptsadmin\codestar-framework\fields\link\link.php:65
actionprint_default_editor_scriptsadmin\codestar-framework\fields\wp_editor\wp_editor.php:62
actionadmin_menuadmin\codestar-framework\views\welcome.php:19
filterplugin_action_linksadmin\codestar-framework\views\welcome.php:20
filterplugin_row_metaadmin\codestar-framework\views\welcome.php:21
actioninitblocks\init.php:2
actioninitblocks.php:13
actionenqueue_block_assetsblocks.php:14
actionenqueue_block_editor_assetsblocks.php:15
actionplugins_loadedhtml5-audio-player.php:71
filtertemplate_includehtml5-audio-player.php:88
actionadmin_enqueue_scriptsinc\admin.php:8
actionadmin_menuinc\admin.php:9
actionadmin_enqueue_scriptsinc\Base\BlackFriday.php:10
actionadmin_bar_menuinc\Base\BlackFriday.php:21
actioninitinc\Base\BlackFriday.php:37
actionwp_headinc\Base\GlobalAction.php:10
actionwp_footerinc\Base\GlobalAction.php:11
actionwp_headinc\Base\Loader.php:10
actioninitinc\Elementor\Controls\Register.php:86
actionplugins_loadedinc\Elementor\Controls\Register.php:87
actionelementor/controls/controls_registeredinc\Elementor\Controls\Register.php:123
actionelementor/frontend/after_register_scriptsinc\Elementor\Widgets\Register.php:49
actionelementor/widgets/registerinc\Elementor\Widgets\Register.php:52
actionelementor/controls/controls_registeredinc\Elementor\Widgets\Register.php:54
actioninitinc\Field\AudioPlayer.php:10
actioninitinc\Field\Settings.php:14
actionwp_footerinc\Model\GlobalChanges.php:17
actionwp_headinc\Model\GlobalChanges.php:18
actionadmin_footerinc\Model\GlobalChanges.php:20
actionadmin_head-post.phpinc\Model\GlobalChanges.php:22
actionadmin_head-post-new.phpinc\Model\GlobalChanges.php:23
actioninitinc\PostType\AudioPlayer.php:15
filterpost_row_actionsinc\PostType\AudioPlayer.php:17
actionedit_form_after_titleinc\PostType\AudioPlayer.php:18
filtermanage_audioplayer_posts_columnsinc\PostType\AudioPlayer.php:19
actionmanage_audioplayer_posts_custom_columninc\PostType\AudioPlayer.php:20
filterpost_updated_messagesinc\PostType\AudioPlayer.php:21
filterpost_row_actionsinc\PostType\AudioPlayer.php:24
actionadmin_action_bp_duplicate_post_as_draftinc\PostType\AudioPlayer.php:25
actioninitinc\PostType\RadioPlayer.php:15
filterpost_row_actionsinc\PostType\RadioPlayer.php:17
filtermanage_radioplayer_posts_columnsinc\PostType\RadioPlayer.php:18
actionmanage_radioplayer_posts_custom_columninc\PostType\RadioPlayer.php:19
filterpost_updated_messagesinc\PostType\RadioPlayer.php:20
filterpost_row_actionsinc\PostType\RadioPlayer.php:23
actionadmin_action_bp_duplicate_post_as_draftinc\PostType\RadioPlayer.php:24
actionuse_block_editor_for_postinc\PostType\RadioPlayer.php:27
actioninitinc\Services\AdminNotice.php:16
actionwp_enqueue_scriptsinc\Services\EnqueueAssets.php:17
actionadmin_enqueue_scriptsinc\Services\EnqueueAssets.php:18
actionadmin_inittinymce\ewic-tinymce.php:46
actionadmin_headtinymce\ewic-tinymce.php:53
actionmedia_buttonstinymce\ewic-tinymce.php:68
actionadmin_footertinymce\ewic-tinymce.php:83
Maintenance & Trust

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 9, 2026
PHP min version7.1
Downloads449K

Community Trust

Rating92/100
Number of ratings166
Active installs10K
Alternatives

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Alternatives

AudioIgniter Music Player

AudioIgniter Music Player

audioigniter

A
100

AudioIgniter lets you create music playlists and embed them in your WordPress posts, pages or custom post types and serve your audio content in style!

10K No CVEs
Music Player for Elementor – Audio Player & Podcast Player

Music Player for Elementor – Audio Player & Podcast Player

music-player-for-elementor

A
98

Audio Player for Elementor – the go-to plugin for adding MP3s, podcasts & playlists. Fully customizable, WooCommerce-ready, and mobile-friendly.

10K 2 CVEs
Liteweight Podcast – Host and Embed Podcast Episodes

Liteweight Podcast – Host and Embed Podcast Episodes

liteweight-podcast

A
100

A lite weight Podcasting plugin for WordPress which contain lots of options and functionality to run your podcasting website.

500 No CVEs
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

mp3-music-player-by-sonaar

A
89

The most advanced Audio Player for Music & Podcast. For Elementor, Gutenberg, WooCommerce and more. Add unlimited players to any pages!

20K 14 CVEs
Audio Player Block – Advanced Block for Embedding Audio Files

Audio Player Block – Advanced Block for Embedding Audio Files

audio-player-block

A
100

A block for embedding a beautiful audio player.

2K No CVEs
Developer Profile

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Developer Profile

colorlibplugins

121 plugins · 740K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
130 days
View full developer profile
Detection Fingerprints

How We Detect HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/html5-audio-player/css/jquery.nice-select.min.css/wp-content/plugins/html5-audio-player/css/owl.carousel.min.css/wp-content/plugins/html5-audio-player/css/style.css/wp-content/plugins/html5-audio-player/js/audio-player.js/wp-content/plugins/html5-audio-player/js/isotope.pkgd.min.js/wp-content/plugins/html5-audio-player/js/jquery.mousewheel.min.js/wp-content/plugins/html5-audio-player/js/owl.carousel.min.js/wp-content/plugins/html5-audio-player/js/script.js
Script Paths
/wp-content/plugins/html5-audio-player/js/jquery.mousewheel.min.js/wp-content/plugins/html5-audio-player/js/owl.carousel.min.js/wp-content/plugins/html5-audio-player/js/isotope.pkgd.min.js/wp-content/plugins/html5-audio-player/js/audio-player.js/wp-content/plugins/html5-audio-player/js/script.js
Version Parameters
html5-audio-player/css/style.css?ver=html5-audio-player/js/audio-player.js?ver=

HTML / DOM Fingerprints

CSS Classes
h5ap-audio-player-wrapperh5ap-player-playlisth5ap-player-controlsh5ap-player-progressh5ap-player-volumeh5ap-player-playlist-itemh5ap-player-current-timeh5ap-player-duration+3 more
HTML Comments
<!-- HTML5 Audio Player Start --><!-- HTML5 Audio Player End -->
Data Attributes
data-audio-iddata-playlist-url
JS Globals
h5ap_params
REST Endpoints
/wp-json/h5ap/v1/get_playlist
Shortcode Output
[h5ap_player]
FAQ

Frequently Asked Questions about HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player