The vulnerability arises from an incorrect configuration of access control within the Seriously Simple Podcasting plugin for WordPress. The missing authorization check allows an attacker to perform actions that should be restricted to privileged users, potentially leading to unauthorized modification or exposure of podcast content. The weakness is identified as a broken access control issue (CWE-862).

This flaw affects the Seriously Simple Podcasting plugin developed by Craig Hewitt for WordPress. Versions from the earliest release up to and including 3.13.0 are vulnerable. All deployments using these versions should be considered at risk.

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The plugin is not listed in the CISA KEV catalog. The likely attack vector is remote, via the WordPress web interface, since the plugin’s administrative endpoints are exposed over HTTP. An attacker who can send crafted requests to these endpoints could trigger the unauthorized actions without needing prior authentication, assuming the site allows access to the plugin’s administrative URLs. No reasonable preconditions are stated in the description, so the exploitation appears possible from any user with basic site access.