Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R corrects the provided vector - stored XSS requires a victim to visit the injected page; PR:L reflects mandatory author-level authentication; S:C captures cross-browser script execution.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline, meaning kses-on-save filtering is never applied - even for Author-role users who would otherwise lack unfiltered_html - making this path unprotected by WordPress's standard role-based XSS mitigations.
AnalysisAI
Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through update_post_meta() rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the unfiltered_html capability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with Author-level access or higher - Subscriber and Contributor roles cannot exploit this because they cannot publish episode posts. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects a stored XSS with scope change, meaning injected scripts execute in a different security context (victim browser) than where they are stored (WordPress server). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with Author-level credentials on a WordPress site running PowerPress 11.16.8 navigates to the episode editor, enters a JavaScript payload (e.g., a cookie-stealing script) into the 'embed' Episode Meta Field, and publishes the post. The payload bypasses kses filtering and is stored directly in the wp_postmeta table; every subsequent visitor to that episode page receives and executes the injected script, enabling session token theft, credential harvesting, or drive-by malware delivery. … |
| Remediation | An upstream fix has been committed per the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3575897%40powerpress&new=3575897%40powerpress; however, the specific patched release version number is not independently confirmed from the available data - administrators should check the WordPress plugin repository for a release newer than 11.16.8 and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37862
GHSA-6mj9-8qq5-v945