Description
Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5.
Published: 2025-04-24
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to upload files of dangerous types through the PowerPress Podcasting plugin, enabling the placement of a web shell or other executable payload. This flaw, classified as CWE‑434, can compromise the confidentiality, integrity, and availability of the host system by allowing remote execution of arbitrary code.

Affected Systems

Blubrry’s PowerPress Podcasting plugin is affected when running version 11.12.5 or any earlier release. The issue applies to any WordPress site that has the plugin enabled, regardless of deployment customizations.

Risk and Exploitability

The CVSS base score of 9.9 indicates critical severity, while the EPSS score is below 1 %, implying a low likelihood of exploitation relative to other vulnerabilities. The flaw has not been catalogued in CISA’s KEV. Attackers would exploit the plugin’s upload function, which is described as unrestricted; it likely requires authenticated access to the administrative interface, though the exact privilege level is not specified. Successful exploitation results in the attacker gaining full control over the affected web server.

Generated by OpenCVE AI on April 30, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerPress Podcasting to version 11.12.6 or later to remove the vulnerable upload handler.
  • If an upgrade cannot be performed immediately, block or restrict the plugin’s upload endpoint to allow only safe MIME types and file extensions, and enforce server‑side checks to reject disallowed files.
  • Run a comprehensive web‑shell detection scan on the site to identify and remove any malicious files that may have been uploaded, and verify that no executable uploads remain.

Generated by OpenCVE AI on April 30, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12067 Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5. Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5.
Title WordPress PowerPress Podcasting <= 11.12.5 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.343Z

Reserved: 2025-04-22T09:21:51.396Z

Link: CVE-2025-46264

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:26.882Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:34.470

Modified: 2026-04-23T15:29:58.820

Link: CVE-2025-46264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses