プラットフォーム
wordpress
コンポーネント
html5-audio-player
修正版
2.5.2
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress. This flaw, affecting versions 2.4.0 through 2.5.1, allows unauthenticated attackers to initiate web requests to arbitrary locations originating from the WordPress application. The vulnerability resides within the getIcyMetadata() function and poses a risk to systems with sensitive internal services.
The SSRF vulnerability in the HTML5 Audio Player plugin enables attackers to bypass security controls and interact with internal resources that are not directly accessible from the outside. An attacker could leverage this to query internal APIs, potentially exposing sensitive data such as database credentials, configuration files, or internal service status. Furthermore, the attacker might be able to modify data within internal systems if the targeted service allows it. This could lead to data breaches, denial of service, or even complete system compromise. The ability to make arbitrary requests significantly expands the attack surface beyond the plugin itself.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, suggesting limited active exploitation at this time. The vulnerability was publicly disclosed on December 18, 2025. The SSRF nature of the vulnerability means it could be exploited silently, making detection challenging without proper monitoring and mitigation.
WordPress websites utilizing the HTML5 Audio Player plugin, particularly those with sensitive internal services accessible via HTTP or HTTPS, are at risk. Shared hosting environments where the plugin is installed on a multi-tenant server are especially vulnerable, as a compromise of one site could potentially expose internal resources of other sites on the same server.
• wordpress / composer / npm:
grep -r 'getIcyMetadata()' /var/www/html/wp-content/plugins/html5-audio-player/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/html5-audio-player/ | grep Server• wordpress / composer / npm:
wp plugin list --status=all | grep 'html5-audio-player'• wordpress / composer / npm:
wp plugin update html5-audio-playerdisclosure
エクスプロイト状況
EPSS
0.10% (28% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-13999 is to immediately upgrade the HTML5 Audio Player plugin to version 2.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests originating from the getIcyMetadata() function. Restrict network access to the WordPress server to only allow necessary outbound connections. Monitor web server access logs for unusual outbound requests originating from the plugin’s directory. After upgrading, confirm the fix by attempting to trigger the getIcyMetadata() function with a known internal resource and verifying that the request is blocked or handled appropriately.
バージョン 2.5.2、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13999 is a Server-Side Request Forgery vulnerability affecting the HTML5 Audio Player WordPress plugin versions 2.4.0–2.5.1, allowing attackers to make arbitrary web requests.
You are affected if your WordPress site uses the HTML5 Audio Player plugin and is running version 2.4.0 through 2.5.1. Check your plugin versions immediately.
Upgrade the HTML5 Audio Player plugin to version 2.5.2 or later. Implement a WAF rule as a temporary workaround if upgrading is not immediately possible.
While there is no confirmed active exploitation, the SSRF nature of the vulnerability makes it a potential target, and proactive mitigation is recommended.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。