Description
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
Published: 2026-06-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the PowerPress Podcasting WordPress plugin when installed in versions 11.15.10 or earlier. The vulnerability allows an attacker to supply crafted input that is not properly sanitized, enabling the execution of arbitrary SQL statements. This could allow the attacker to read, modify, or delete data stored in the WordPress database, potentially exposing sensitive information, corrupting content, or creating privileged accounts.

Affected Systems

WordPress sites running the Blubrry Podcasting PowerPress plugin version 11.15.10 or older are affected. The vendor’s advisory recommends updating to version 11.15.11 or later, which contains the necessary input‑validation fixes.

Risk and Exploitability

The issue carries a CVSS score of 8.5, indicating high severity, but the EPSS score is below 1%, suggesting a low likelihood of active exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector involves a web-based form or configuration interface processed by the plugin; an attacker would need access to submit the malicious payload. Although exploitation requires a vulnerable plugin instance, the potential impact on data confidentiality and integrity is substantial if successful.

Generated by OpenCVE AI on June 17, 2026 at 23:10 UTC.

Remediation

Vendor Solution

Update the WordPress PowerPress Podcasting Plugin to the latest available version (at least 11.15.11).


OpenCVE Recommended Actions

  • Upgrade the PowerPress Podcasting Plugin to version 11.15.11 or later.
  • If an upgrade cannot be performed immediately, disable the Contributor feature or replace the plugin with a trusted alternative until the patch is applied.
  • Conduct a database audit for anomalous queries or unauthorized changes that could indicate exploitation and adjust database permissions to limit write access from web‑accessible interfaces.

Generated by OpenCVE AI on June 17, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Blubrry
Blubrry powerpress Podcasting
Wordpress
Wordpress wordpress
Vendors & Products Blubrry
Blubrry powerpress Podcasting
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
Title WordPress PowerPress Podcasting plugin <= 11.15.10 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Blubrry Powerpress Podcasting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T18:16:42.744Z

Reserved: 2026-01-23T12:32:36.811Z

Link: CVE-2026-24637

cve-icon Vulnrichment

Updated: 2026-06-16T18:16:35.508Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:40.163

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-24637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')