Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Retrieve Embedded Sensitive Data.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0.
Published: 2025-11-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Seriously Simple Podcasting plugin for WordPress contains a flaw (CWE‑497) that permits retrieval of embedded sensitive data by an unauthorized user. When a request is made to the vulnerable endpoint, the plugin exposes system information that should not be publicly accessible. Although the exact method of exploitation is not detailed in the advisory, it likely occurs through a web request that the plugin does not properly validate.

Affected Systems

This issue affects the Seriously Simple Podcasting plugin developed by Craig Hewitt. All releases from the earliest available version up through 3.13.0 are vulnerable. Users running any of these versions on a WordPress site are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium level of severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but possible. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to access the WordPress site, likely via a web request to the plugin’s exposed endpoint, to extract the sensitive data. No public exploit or additional conditions are known, but the impact could compromise confidentiality if the exposed data contains critical system information.

Generated by OpenCVE AI on April 29, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seriously Simple Podcasting to a version newer than 3.13.0 to remove the exposure route.
  • If an upgrade is not immediately possible, restrict access to the plugin’s API endpoints by requiring authentication or applying IP whitelisting to block unauthorized requests.
  • Apply WordPress security best practices by ensuring plugin files and directories are only world‑readable as needed, and that user roles cannot access sensitive configuration or system data.

Generated by OpenCVE AI on April 29, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 04 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Castos
Castos seriously Simple Podcasting
CPEs cpe:2.3:a:castos:seriously_simple_podcasting:*:*:*:*:*:wordpress:*:*
Vendors & Products Castos
Castos seriously Simple Podcasting

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craig Hewitt
Craig Hewitt seriously Simple Podcasting
Wordpress
Wordpress wordpress
Vendors & Products Craig Hewitt
Craig Hewitt seriously Simple Podcasting
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Retrieve Embedded Sensitive Data.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0.
Title WordPress Seriously Simple Podcasting plugin <= 3.13.0 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Castos Seriously Simple Podcasting
Craig Hewitt Seriously Simple Podcasting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:15.521Z

Reserved: 2025-11-21T11:20:39.725Z

Link: CVE-2025-66059

cve-icon Vulnrichment

Updated: 2025-11-21T14:44:24.253Z

cve-icon NVD

Status : Modified

Published: 2025-11-21T13:15:46.623

Modified: 2026-04-27T18:16:31.647

Link: CVE-2025-66059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses