Skip to main content

PowerPress Podcasting CVE-2026-12098

| EUVDEUVD-2026-37862 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Wordfence GHSA-6mj9-8qq5-v945
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R corrects the provided vector - stored XSS requires a victim to visit the injected page; PR:L reflects mandatory author-level authentication; S:C captures cross-browser script execution.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:08 vuln.today
CVE Published
Jun 18, 2026 - 06:50 cve.org
MEDIUM 6.4

DescriptionCVE.org

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline, meaning kses-on-save filtering is never applied - even for Author-role users who would otherwise lack unfiltered_html - making this path unprotected by WordPress's standard role-based XSS mitigations.

AnalysisAI

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through update_post_meta() rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the unfiltered_html capability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level WordPress account
Delivery
Access episode post editor with PowerPress plugin
Exploit
Inject JavaScript payload into 'embed' Episode Meta Field
Execution
Payload persisted via update_post_meta() bypassing kses filters
Persist
Victim visits published episode page
Impact
Malicious script executes in victim browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with Author-level access or higher - Subscriber and Contributor roles cannot exploit this because they cannot publish episode posts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects a stored XSS with scope change, meaning injected scripts execute in a different security context (victim browser) than where they are stored (WordPress server). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Author-level credentials on a WordPress site running PowerPress 11.16.8 navigates to the episode editor, enters a JavaScript payload (e.g., a cookie-stealing script) into the 'embed' Episode Meta Field, and publishes the post. The payload bypasses kses filtering and is stored directly in the wp_postmeta table; every subsequent visitor to that episode page receives and executes the injected script, enabling session token theft, credential harvesting, or drive-by malware delivery. …
Remediation An upstream fix has been committed per the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3575897%40powerpress&new=3575897%40powerpress; however, the specific patched release version number is not independently confirmed from the available data - administrators should check the WordPress plugin repository for a release newer than 11.16.8 and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy