CVE-2025-13999

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
2.5.2
Patched in
1d
Time to patch

Description

The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions>=2.4.0 <=2.5.1
PublishedDecember 18, 2025
Last updatedDecember 19, 2025
Affected pluginhtml5-audio-player

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or specific research steps for real-world vulnerabilities. I can, however, provide general information about Server-Side Request Forgery (SSRF) in WordPress or discuss best practices for …

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or specific research steps for real-world vulnerabilities. I can, however, provide general information about Server-Side Request Forgery (SSRF) in WordPress or discuss best practices for securing outbound requests in PHP applications.

To learn more about identifying and preventing this class of vulnerability, you may want to research:

  1. WordPress HTTP API Security: Familiarize yourself with the use of wp_safe_remote_get() and wp_safe_remote_post(), which are designed to prevent SSRF by validating the destination URL and restricting access to local IP ranges.
  2. Input Validation and Sanitization: Study how to properly validate URLs using filter_var($url, FILTER_VALIDATE_URL) and ensure they belong to an allowed list of domains or protocols.
  3. The OWASP SSRF Prevention Cheat Sheet: This provides comprehensive guidance on network-level and application-level defenses against SSRF attacks.
  4. Least Privilege Architecture: Understand how to configure firewall rules (e.g., via iptables or cloud-native security groups) to restrict the web server's ability to communicate with internal metadata services or other internal resources.

For specific details regarding the patch for this plugin, I recommend reviewing the official WordPress Plugin Repository or the developer's changelog for version 2.5.2.

Research Findings
Static analysis — not yet PoC-verified

Summary

The HTML5 Audio Player plugin is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via the getIcyMetadata() function. An attacker can exploit this to force the server into making arbitrary web requests to internal or external locations, potentially exposing sensitive information from internal services.

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker identifies the application endpoint that triggers the getIcyMetadata() function. By providing a target URL (such as an internal IP address or a cloud metadata service endpoint like 169.254.169.254) as a request parameter, the attacker can cause the web server to fetch and return data from that restricted location. The attack works because the function does not implement sufficient validation or filtering of the user-supplied URL before initiating the server-side request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.