Description
Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.
Published: 2026-01-22
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Immediate Update
AI Analysis

Impact

The vulnerability in the Seriously Simple Podcasting plugin allows an attacker to direct the server to make arbitrary HTTP requests to internal or external resources, potentially leaking sensitive data or triggering unintended actions. It originates from an improperly validated input that the plugin uses to fetch podcast media or metadata. The weakness is classified as CWE‑918.

Affected Systems

The flaw is present in all versions of the Seriously Simple Podcasting plugin up to and including version 3.14.1, distributed by Craig Hewitt for WordPress. Sites running any of these vulnerable versions are at risk until patched.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack path requires the attacker to supply a crafted URL or media reference to the plugin, which is then forwarded by the server. Because the flaw allows outbound network traffic, a successful exploit could expose internal network resources or communicate with malicious endpoints.

Generated by OpenCVE AI on April 16, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Seriously Simple Podcasting plugin to version 3.15 or later.
  • If upgrading is not immediately possible, disable the plugin to eliminate the attack surface.
  • Monitor incoming requests to the plugin endpoint for suspicious outbound traffic.

Generated by OpenCVE AI on April 16, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craig Hewitt
Craig Hewitt seriously Simple Podcasting
Wordpress
Wordpress wordpress
Vendors & Products Craig Hewitt
Craig Hewitt seriously Simple Podcasting
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.
Title WordPress Seriously Simple Podcasting plugin <= 3.14.1 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Craig Hewitt Seriously Simple Podcasting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:08.202Z

Reserved: 2026-01-22T14:42:24.567Z

Link: CVE-2026-24360

cve-icon Vulnrichment

Updated: 2026-01-22T20:39:45.329Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:39.700

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:15:21Z

Weaknesses