CVE-2025-32290 HIGH

CVE-2025-32290: WordPress Sticky HTML5 Music Player plugin <= 3.1.6 - SQL Injection Vulnerability

Vendor Lambertgroup
Product Sticky HTML5 Music Player
Weakness CWE-89 · SQLi
Published May 16, 2025
Last update April 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky HTML5 Music Player lbg-audio3-html5 allows SQL Injection.This issue affects Sticky HTML5 Music Player: from n/a through <= 3.1.6.

Explanation of Vulnerability in Simple Terms

02Summary

Sticky HTML5 Music Player versions 3.1.6 and earlier contain a SQL injection vulnerability accessible to authenticated users. An attacker with low-level account access can craft malicious input to extract or modify database records. The vulnerability affects the entire site scope and can result in unauthorized data disclosure and service disruption.

What an attacker can do

03Attacker Capabilities

Read or modify database records by injecting SQL commands through the player interface.

Potential impact on your site

04Site Impact

Unauthorized users can access sensitive data or corrupt the database, potentially affecting site stability and user privacy.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

May 16, 2025 CVE published
April 28, 2026 Record updated