The vulnerability is a Server‑Side Request Forgery in Craig Hewitt’s Seriously Simple Podcasting WordPress plugin, enabling an attacker to cause the server to perform arbitrary HTTP requests. This weakness is categorized as CWE‑918. Because the plugin accepts external URLs as input, the flaw can be exploited to direct the host to query any internal or external resource, potentially exposing data or triggering unintended actions. The vulnerability description does not specify the exact handling of the request, so the extent of potential damage is inferred from the general behavior of SSRF flaws.

The flaw is present in all releases of Seriously Simple Podcasting distributed by Craig Hewitt up to and including version 3.14.1. WordPress sites who have installed any of those versions are therefore vulnerable until a patched release is applied.

The CVSS score of 4.4 indicates a moderate severity, while the EPSS score of less than 1 % suggests a low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the nature of SSRF, we infer that an attacker would need to supply a crafted URL or media reference to the plugin, which would then be forwarded by the host; with successful exploitation, the attacker could force outbound network traffic, potentially reaching internal resources or communicating with external endpoints. The current data do not confirm any known exploitation campaigns.