Podlove Podcast Publisher is a powerful WordPress plugin designed to streamline podcast publishing. It offers features like multi-format publishing, enhanced RSS feeds, an optimized web player, and metadata management. However, a critical stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-13729) has been identified in versions prior to 4.1.24, allowing attackers to inject malicious scripts that could lead to unauthorized administrative actions
| CVE | CVE-2024-13729 |
| Plugin | Simple Basic Contact Form |
| Critical | High |
| All Time | 511 957 |
| Active installations | 10 000+ |
| Publicly Published | March 19, 2025 |
| Last Updated | March 19, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13729 https://wpscan.com/vulnerability/2feed26b-ef02-4954-ab9d-8b0f958b0ef1/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 27, 2025 | Plugin testing and vulnerability detection in the Simple Basic Contact Form have been completed |
| November 27, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-12716 |
Discovery of the Vulnerability
During a routine security audit, researchers identified a stored XSS vulnerability in the Podlove Podcast Publisher plugin. The issue arises from improper sanitization of user input in the Episode Assets title field. By injecting JavaScript payloads into this field, attackers can execute malicious scripts whenever an administrator accesses the affected section of the WordPress dashboard.
Understanding of XSS attack’s
Stored XSS is a severe security flaw where malicious scripts are permanently stored on a target system and executed when accessed by users. Unlike reflected XSS, which requires user interaction via a link, stored XSS can impact all users viewing the infected page, making it particularly dangerous.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13729, an attacker must follow these steps:
POC:
1) Navigate to the Podlove plugin settings. 2) Select the Episode Assets tab. 3) Click Add a new Episode Asset. 4) Inject a malicious XSS payload into the Title column. 5) Save the settings and wait for an administrator to access the page.____
Upon execution, the injected JavaScript runs in the administrator’s browser, potentially leading to further attacks, such as privilege escalation or full site takeover.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-13729, administrators should immediately update the Podlove Podcast Publisher plugin to the latest patched version once it becomes available. Additionally, administrators should ensure that all user input fields, especially those in episode metadata such as the Title column in Episode Assets, are properly sanitized and validated. Implementing a Content Security Policy (CSP) can help limit the impact of XSS attacks by restricting the sources from which scripts can be executed. Additionally, site administrators should restrict the permissions of unauthenticated users and regularly review user roles to prevent privilege escalation. Limiting the use of JavaScript in input fields and using sanitization functions such as wp_kses() can also prevent malicious input from being executed. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13729, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.