Description

Hero – ShoutCast & IceCast Radio Player 4.4.2

✅ Key Features

• 🎙️ ShoutCast & IceCast Streaming — Supports streaming from ShoutCast and IceCast servers. Typically MP3, and in supported browsers also AAC streams. (lambertgroupproductions.com)
• 📻 Player History Support — Shows past played tracks (“history”) — for ShoutCast it auto-fetches, for IceCast generated while streaming. (lambertgroupproductions.com)
• 📱 Responsive Design — The player adapts to different screen sizes (desktop, tablet, mobile). You can disable responsiveness in special cases. (lambertgroupproductions.com)
• 🎨 Custom Skins & Appearance Options — Offers multiple appearance parameters: colors, width, layout, player skins (e.g. black & white), sticky mode (player stays visible while scrolling), show/hide controls (playlist, volume, share buttons, etc.). (lambertgroupproductions.com)
• 🔄 Live Song Info & Artist Image — Displays “now playing” metadata (song & artist) and artist image if available (sometimes via Last.FM API). (lambertgroupproductions.com)
• 🔗 Multiple Instances / Widget & Shortcode Integration — Can embed more than one player on a page; supports embedding via shortcode or widget. (lambertgroupproductions.com)
• 🔊 Mobile Compatibility with Caveats — Works on mobile browsers but with limitations: autoplay often blocked on iOS, volume controls may not work as expected. (lambertgroupproductions.com)

⚠️ Known Security & Limitations

• ⚠️ SQL Injection Vulnerability (<= 4.4.6) — Versions ≤ 4.4.6 of this plugin are vulnerable to SQL injection. This was fixed in version 4.4.7. Since 4.4.2 is less than 4.4.7, it’s affected. (Patchstack)
• ⚠️ Reflected Cross-Site Scripting (XSS) (< 4.4.8) — Versions up to 4.4.7 have a reflected XSS issue. So 4.4.2 is also vulnerable here. (WPScan)
• ⚠️ Support & Updates — Some sources mention the plugin hasn’t received frequent updates recently, which can lead to compatibility or security issues. (WPShop)

🔧 Recommended Actions

• 🔄 Update to latest version — If you have version 4.4.2 installed, upgrade at least to 4.4.7 or newer, which patches the SQL Injection and other vulnerabilities.
• 🔐 Validate stream URLs — Use only trusted, secure (HTTPS) streams to avoid mixed content or leakage.
• 🧪 Test on mobile & across browsers — Check behavior for autocomplete, volume controls, autoplay, especially on iOS/Android.
• 🛠 Limit who can insert shortcode / change settings — Since some vulnerabilities arise due to user input, ensure only trusted roles (admin) can change embedding or input stream URL etc.
• 🧾 Backup before updating — Always back up your site and database before plugin updates.