The Blubrry PowerPress Podcasting plugin for WordPress allows contributors and higher users to embed podcast content with shortcodes. In affected releases the plugin fails to properly sanitize or escape data supplied through the powerpress and podcast shortcodes, enabling an authenticated attacker to persist arbitrary JavaScript in a post or page. When a visitor loads the page, the script executes in their browser, potentially hijacking the session, defacing the site, or performing other malicious actions on behalf of the user. This weakness is a classic stored XSS whose consequences involve confidentiality, integrity, and availability of the site’s content and user sessions.

Vulnerable products are Blubrry PowerPress Podcasting plugin versions 11.15.15 and earlier. The plugin is installed as a WordPress extension that lets contributors embed podcast feeds using shortcodes; any user with contributor, author, editor, or administrator privileges can create or edit content containing the vulnerable shortcodes.

The CVSS score of 6.4 indicates a moderate severity. Exploit probability information is currently unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires the attacker to have authenticated contributor‑level access to the WordPress site, after which they can inject malicious payloads that remain stored and affect every visitor who views the affected page. The likely vector is an authenticated user modifying content on the site.