Description
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-01-18
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that lets an administrator inject scripts that will execute automatically in any user’s browser when the page is viewed
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from insufficient sanitization of the Feed Name field in Podlove Podcast Publisher. Attackers with administrator privileges can store malicious JavaScript in this field, which is then rendered without escaping. When a user opens the affected page, the browser executes the embedded script, enabling theft of session data or other malicious actions. This is a Stored Cross‑Site Scripting flaw classified as CWE‑79.

Affected Systems

The flaw affects installations of Podlove Podcast Publisher version 4.1.25 or earlier on WordPress. It only manifests on multi‑site setups where the unfiltered_html capability is disabled. The affected vendor is eteubert and the product is Podlove Podcast Publisher.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% shows a very low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Because the attacker must be an administrator and the attack occurs when a user views the injected content, the vector is local with potential impact on all site visitors who render the page.

Generated by OpenCVE AI on April 22, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Podlove Podcast Publisher to version 4.1.26 or later to apply the vendor’s fix.
  • Review and sanitize existing Feed Names that may contain injected scripts, removing any embedded code.
  • Restrict the unfiltered_html capability to trusted administrators only, disabling it for lower‑privilege users to prevent accidental malicious injections.

Generated by OpenCVE AI on April 22, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1752 The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Wed, 19 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Podlove
Podlove podlove Podcast Publisher
CPEs cpe:2.3:a:podlove:podlove_podcast_publisher:*:*:*:*:*:wordpress:*:*
Vendors & Products Podlove
Podlove podlove Podcast Publisher

Wed, 22 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Jan 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Podlove Podcast Publisher <= 4.1.25 - Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Podlove Podlove Podcast Publisher
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:49.147Z

Reserved: 2025-01-17T17:19:12.656Z

Link: CVE-2025-0554

cve-icon Vulnrichment

Updated: 2025-01-22T14:20:06.163Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-18T06:15:28.160

Modified: 2025-03-19T19:53:31.407

Link: CVE-2025-0554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses