cleantalk
Vulnerabilities and Security Researches

Podlove Podcast Publisher, CVE-2025-0554

CVE, Research URL

CVE-2025-0554

Home page URL

Security reports for Podlove Podcast Publisher

Application

Podlove Podcast Publisher

Published on
Jan 18, 2025
Research Description
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
Min -, max 4.2.0.
Status
vulnerable
Previous vulnerability researches
Podlove Podcast Publisher (CVE-2024-52393) , Nov 14, 2024
Podlove Podcast Publisher (CVE-2021-24666) , Jun 07, 2024
Podlove Podcast Publisher (CVE-2016-10941) , Jun 07, 2024
Podlove Podcast Publisher (CVE-2016-10942) , Jun 07, 2024
Podlove Podcast Publisher (CVE-2023-25472) , Jun 07, 2024
New vulnerability
Audio Comments Plugin (CVE-2025-4189) , May 18, 2025
WP Notes Widget (CVE-2025-48121) , May 18, 2025
Eventer (CVE-2025-39482) , May 18, 2025
Eventer (CVE-2025-39481) , May 18, 2025
Push notification for Mobile and Web app (CVE-2025-48127) , May 18, 2025