The Podlove Podcast Publisher plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation vulnerability (CWE‑79) that allows stored cross‑site scripting (XSS). The flaw resides in the plugin’s handling of podcast metadata, enabling an attacker who can insert content into the plugin’s database to persist malicious JavaScript that is later rendered when the content is viewed. Successful exploitation can lead to client‑side code execution in the context of site visitors, potentially resulting in session hijacking, cookie theft, defacement, or other unintended client‑side activity.

This vulnerability affects the Podlove Podcast Publisher by Eric Teubert for WordPress, impacting all plugin releases from the initial version up to and including 4.3.3. No specific lower bound was identified; versions 4.3.4 and later are considered corrected.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of below 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires a user with permission to create or edit podcast entries, allowing injection of malicious content that is stored in the database. The attack vector is remote and web‑based, executed through the normal WordPress interface by an authenticated user, and the impact is confined to the site’s users who view the corrupted content.