The vulnerability stems from an Open Redirect flaw in the Podlove Podcast Publisher plugin for WordPress, in particular in all versions up to and including 4.2.5. The plugin accepts a redirect URL supplied by the user without validating or whitelisting the target domain. An attacker can construct a link that appears to be part of the site but is then forwarded to a malicious or phishing destination. This flaw permits an adversary to exploit users’ trust in the site, potentially leading to credential compromise, malware delivery, or social‑engineering attacks. The weakness is a classic Open Redirect problem (CWE‑601).

All installations of the Podlove Podcast Publisher plugin developed by Eric Teubert that run any release from the plugin beginning up through version 4.2.5 are affected. This includes every WordPress website that has the plugin installed at one of those versions.

The CVSS score of 4.7 indicates a moderate level of impact if the flaw is leveraged. The EPSS score of less than 1 % reflects a very low exploitation probability as of this analysis, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path involves an attacker crafting a URL that triggers the plugin’s redirect mechanism, then luring a user to click that link, which leads the user to an attacker‑controlled site.