This vulnerability arises from a missing authorization check in Craig Hewitt’s Seriously Simple Podcasting plugin. Because access controls are incorrectly configured, an attacker can reach privileged functions—such as creating, editing, or deleting podcasts, and viewing private media—without being authenticated. The flaw is a classic broken access control scenario, classified as CWE‑862. Successful exploitation could allow an attacker to read, modify, or erase podcast content and administrative settings, jeopardizing confidentiality, integrity, and availability of the site’s media assets.

The flaw exists in the Seriously Simple Podcasting WordPress plugin from all versions that have not yet been upgraded past 3.14.2. Any WordPress installation that still hosts a vulnerable version of this plugin is potentially affected, regardless of the site’s overall configuration.

The CVSS base score of 5.3 indicates medium severity, and the EPSS score of less than 1 % suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread attacks. Based on the description, the attack vector is likely web‑based, leveraging HTTP requests to the plugin’s endpoints that lack proper authorization. Although the flaw could be abused remotely via the public web interface, no evidence currently points to widespread exploitation, and the overall risk remains moderate.