Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Angelo Mandato Blubrry PowerPress Podcasting plugin MultiSite add-on powerpress-multisite allows Reflected XSS.This issue affects Blubrry PowerPress Podcasting plugin MultiSite add-on: from n/a through <= 0.1.1.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability results from improper neutralization of user input, enabling reflected XSS. An attacker can embed malicious scripts into URLs that, when visited by any user, execute in that user's browser, potentially hijacking sessions, defacing content, or facilitating phishing attacks. The weakness is a classic input‑validation flaw identified as CWE‑79.

Affected Systems

WordPress sites running the Blubrry PowerPress Podcasting plugin Multi‑Site add‑on version 0.1.1 or earlier, distributed by Angelo Mandato. Multi‑site installations are particularly vulnerable, as the flaw can affect all sites within the network.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate risk, and the EPSS score of <1% suggests a low likelihood of exploitation as of this assessment. The plugin does not require authentication, so any user who receives a crafted link can exploit the flaw. Although this vulnerability is not listed in CISA's KEV catalog, the potential impact on a multi‑site environment warrants prompt action.

Generated by OpenCVE AI on May 1, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blubrry PowerPress Podcasting Multi‑Site add‑on to a version newer than 0.1.1 to eliminate the uncontrolled input handling.
  • If an immediate upgrade is not possible, restrict the plugin’s exposed input fields and ensure all user‑supplied data is properly escaped or encoded before rendering on pages.
  • Deploy a strict Content‑Security‑Policy and enable browser XSS protection headers to mitigate the impact of any remaining reflected script vectors.

Generated by OpenCVE AI on May 1, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14760 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Angelo Mandato Blubrry PowerPress Podcasting plugin MultiSite add-on allows Reflected XSS. This issue affects Blubrry PowerPress Podcasting plugin MultiSite add-on: from n/a through 0.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Angelo Mandato Blubrry PowerPress Podcasting plugin MultiSite add-on allows Reflected XSS. This issue affects Blubrry PowerPress Podcasting plugin MultiSite add-on: from n/a through 0.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Angelo Mandato Blubrry PowerPress Podcasting plugin MultiSite add-on powerpress-multisite allows Reflected XSS.This issue affects Blubrry PowerPress Podcasting plugin MultiSite add-on: from n/a through <= 0.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Angelo Mandato Blubrry PowerPress Podcasting plugin MultiSite add-on allows Reflected XSS. This issue affects Blubrry PowerPress Podcasting plugin MultiSite add-on: from n/a through 0.1.1.
Title WordPress Blubrry PowerPress Podcasting plugin MultiSite add-on plugin <= 0.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.212Z

Reserved: 2025-03-28T11:00:31.358Z

Link: CVE-2025-31436

cve-icon Vulnrichment

Updated: 2025-04-03T14:59:12.232Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:35.367

Modified: 2026-04-23T15:27:49.403

Link: CVE-2025-31436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses