Server‑Side Request Forgery (SSRF) in the blubrry PowerPress Podcasting WordPress plugin allows an attacker to cause the server to make arbitrary HTTP requests on the server’s behalf. This flaw is identified as CWE‑918 and gives the attacker a potential path to reach internal network resources, exfiltrate sensitive data, or use the compromised site as a proxy to launch further attacks against other systems.

The vulnerability affects all installations of the PowerPress Podcasting plugin through version 11.12.6. Site owners running any of these releases—regardless of WordPress version or underlying operating system—are exposed if the plugin is present. No additional platform restrictions are documented.

The CVSS score of 4.9 indicates moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation at this time, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is that a threat actor who can inject a malicious URL into the plugin’s request mechanism—most likely by accessing the WordPress administrative interface or by supplying a crafted URL through public episode fields—triggers outbound HTTP requests. Based on the description, it is inferred that the attacker must control an input path that passes an unsanitized URL to the plugin; without such access, exploitation is unlikely.