CVE-2025-3752
📋 TL;DR
This stored XSS vulnerability in the Able Player WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the 'preload' parameter. The scripts execute when users view compromised pages, potentially compromising their sessions or browsers. All WordPress sites using Able Player versions up to 1.2.1 are affected.
💻 Affected Systems
- Able Player WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials, potentially gaining higher privileges or compromising user accounts.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated; existing attacks would be prevented from executing.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor or higher); the vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2 or later
Vendor Advisory: https://wordpress.org/plugins/ableplayer/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Able Player' and click 'Update Now'. 4. Alternatively, download version 1.2.2+ from WordPress.org and manually replace the plugin files.
🔧 Temporary Workarounds
Disable Able Player Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate ableplayer
Restrict User Roles
allTemporarily remove Contributor and Author roles or restrict their capabilities.
🧯 If You Can't Patch
- Remove Contributor and Author roles from untrusted users.
- Implement web application firewall (WAF) rules to block XSS payloads in 'preload' parameter.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Able Player version ≤1.2.1.Check Version:
wp plugin get ableplayer --field=versionVerify Fix Applied:
Verify Able Player version is 1.2.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php with 'preload' parameter containing script tags or JavaScript.
- Multiple failed login attempts followed by successful Contributor-level login.
Network Indicators:
- HTTP requests with suspicious 'preload' parameter values containing <script> tags or JavaScript code.
SIEM Query:
source="wordpress.log" AND ("preload" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))🔗 References
- https://plugins.trac.wordpress.org/browser/ableplayer/trunk/ableplayer.php#L375
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3281106%40ableplayer&new=3281106%40ableplayer
- https://wordpress.org/plugins/ableplayer/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/85c123ee-8de0-4800-b96b-68bb4d763560?source=cve
