Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.
Published: 2026-03-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE-79), as described in the CVE description. It allows stored XSS in the blubrry PowerPress Podcasting plugin for WordPress, meaning a malicious script can be persisted in plugin data and served to any visitor who views affected pages. If exploited, an attacker could inject arbitrary JavaScript that runs in the context of the site, potentially leading to cookie theft, session hijacking, defacement, or further compromise of site users.

Affected Systems

All installations of the PowerPress Podcasting plugin up to and including version 11.15.13 are affected. The vulnerability applies to every release from the earliest available version (n/a) through 11.15.13 inclusive, so any site running any of those versions is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present; it is not listed in CISA’s KEV catalog. Exploitation likely requires the ability to submit or modify content via the plugin’s data entry interface, either through an authenticated administrative account or through a publicly exposed input. The vulnerability does not require advanced privileges beyond this ability, making it a relatively low-barrier attack vector.

Generated by OpenCVE AI on March 17, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerPress Podcasting to the latest version (>= 11.15.14) released by the vendor.
  • If an immediate update is not possible, consider disabling or deactivating the PowerPress plugin until a fix is applied to prevent exploitation.
  • Audit any custom code that writes or displays podcast content and ensure proper output encoding or sanitization to neutralize script payloads.
  • Monitor web logs for anomalous JavaScript injection attempts and be vigilant for signs of successful XSS exploitation.

Generated by OpenCVE AI on March 17, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Blubrry
Blubrry powerpress Podcasting
Wordpress
Wordpress wordpress
Vendors & Products Blubrry
Blubrry powerpress Podcasting
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.
Title WordPress PowerPress Podcasting plugin <= 11.15.13 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Blubrry Powerpress Podcasting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:57.129Z

Reserved: 2026-03-12T11:10:47.068Z

Link: CVE-2026-32351

cve-icon Vulnrichment

Updated: 2026-03-16T14:08:28.451Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:47.123

Modified: 2026-03-16T15:16:22.450

Link: CVE-2026-32351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:05Z

Weaknesses