Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.9.0.
Published: 2025-04-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation results in a stored XSS flaw within the Seriously Simple Podcasting plugin. This flaw is classified as CWE-79. An attacker can inject malicious scripts that execute in the browsers of anyone who views podcast pages, potentially enabling cookie theft, session hijacking, or defacement of the displayed content. The vulnerability does not provide remote code execution but can severely compromise user data confidentiality and the integrity of the web interface.

Affected Systems

The flaw affects users of Seriously Simple Podcasting version 3.9.0 or earlier on WordPress sites. The plugin is developed by Craig Hewitt. No specific WordPress core versions are listed as affected; the issue resides solely in the plugin’s handling of user‑supplied content.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker submitting content via the plugin’s administrative interface; once stored, the payload is delivered to any visitor reading the affected podcast page. Permission levels such as site administrators or editors who can add or edit podcast entries are required to launch the attack, but the resulting impact is confined to client‑side execution.

Generated by OpenCVE AI on May 1, 2026 at 09:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seriously Simple Podcasting to the latest version that addresses the XSS issue
  • If an upgrade is not immediately possible, disable or uninstall the plugin to stop further exploitation
  • For sites that must keep the plugin, sanitize or strip all user‑supplied HTML before storing or rendering podcast content, for example by adding a custom wp_kses filter or setting a restrictive content security policy

Generated by OpenCVE AI on May 1, 2026 at 09:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12075 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through 3.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through 3.9.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.9.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 09 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Castos
Castos seriously Simple Podcasting
CPEs cpe:2.3:a:castos:seriously_simple_podcasting:*:*:*:*:*:wordpress:*:*
Vendors & Products Castos
Castos seriously Simple Podcasting

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through 3.9.0.
Title WordPress Seriously Simple Podcasting plugin <= 3.9.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Castos Seriously Simple Podcasting
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.177Z

Reserved: 2025-04-22T09:21:51.396Z

Link: CVE-2025-46261

cve-icon Vulnrichment

Updated: 2025-04-24T19:56:28.328Z

cve-icon NVD

Status : Modified

Published: 2025-04-24T16:15:34.337

Modified: 2026-04-23T15:29:58.477

Link: CVE-2025-46261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses