CVE-2025-13999 HIGH

CVE-2025-13999: HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery

Vendor Bplugins
Product HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player
Weakness CWE-918 · SSRF
Published December 19, 2025
Last update December 19, 2025
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
December 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-50266 Bazarr Blind Server-Side Request Forgery (SSRF) in the /test/<protocol>/ endpoint CVE-2024-13838 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.2 - Authenticated (Admin+) Server-Side Request Forgery via Webhook CVE-2024-30531 WordPress Nelio Content plugin <= 3.2.0 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-10211 yanyutao0402 ChanCMS getArticle CollectController server-side request forgery CVE-2025-8678 WP Crontrol - 1.17.0 - 1.19.1 - Authenticated (Administrator+) Blind Server-Side Request Forgery