CVE-2025-31926 HIGH

CVE-2025-31926: WordPress Sticky Radio Player plugin <= 3.4 - SQL Injection Vulnerability

Vendor Lambertgroup
Product Sticky Radio Player
Weakness CWE-89 · SQLi
Published May 16, 2025
Last update April 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky Radio Player lbg-audio5-html5-shoutcast_sticky allows SQL Injection.This issue affects Sticky Radio Player: from n/a through <= 3.4.

Explanation of Vulnerability in Simple Terms

02Summary

Sticky Radio Player versions 3.4 and earlier contain a SQL injection vulnerability accessible to authenticated users with low privileges. An attacker can craft malicious input to extract or modify database records, including sensitive information. The vulnerability affects the entire application scope due to database access. No user interaction is required once authenticated.

What an attacker can do

03Attacker Capabilities

Read or modify database records, including user data and site configuration, via SQL injection.

Potential impact on your site

04Site Impact

Unauthorized access to database contents and potential data modification or loss affecting all site users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

May 16, 2025 CVE published
April 28, 2026 Record updated