Skip to main content

Podlove Podcast Publisher CVE-2026-13001

| EUVDEUVD-2026-44402 CRITICAL
Improper Input Validation (CWE-20)
2026-07-14 Wordfence GHSA-7gcx-p8g5-3g9x
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N), but AC:H because exploitation requires influencing the cached image source and defeating existing partial validation; full RCE gives C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 21:05 vuln.today
Analysis Generated
Jul 14, 2026 - 21:05 vuln.today
CVE Published
Jul 14, 2026 - 19:33 nvd
CRITICAL 9.8

DescriptionCVE.org

The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'podlove_handle_cache_files' function in all versions up to, and including, 4.5.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

Arbitrary file upload in the Podlove Podcast Publisher WordPress plugin (all versions through 4.5.1) allows remote attackers to place attacker-controlled files on the server via the image caching path, potentially escalating to remote code execution. The root cause is incomplete file-type validation in the plugin's image cache handling, where a cached file's extension was trusted rather than re-derived from the actual validated image type. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Point plugin at attacker image source
Delivery
Trigger image cache download
Exploit
Bypass extension/MIME validation
Execution
Cached file stored as executable
Persist
Request cached file directly
Impact
Execute code as web server user

Vulnerability AssessmentAI

Exploitation Exploitation targets the Podlove image caching feature: the attacker must get the plugin to download and cache a file via its Model\Image download_source() path and cause the cached file to be stored with an executable extension that slips past the pre-fix MIME/extension checks in is_image(); web-execution of files in the cache directory must also be possible for the upload to reach RCE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8) rates this as critical and unauthenticated, and the RCE tag plus a WordPress deployment model make it attractive if reachable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker induces the plugin to fetch and cache an image from an attacker-controlled source, crafting the download so the cached file retains a dangerous (e.g., PHP) extension that bypasses the incomplete image validation. The malicious file lands in the plugin's cache directory, and the attacker then requests it directly to execute code as the web server user. …
Remediation Upgrade to the patched release published on WordPress.org (the fix corresponds to trac changeset 3597461 and database migration version 166, delivered in the first release after 4.5.1); the exact patched version number is not stated in the provided data, so confirm against the plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, disable the Podlove Podcast Publisher plugin and determine if it is operationally critical or if an alternative podcast publishing solution can replace it; if removal is not feasible, isolate the affected WordPress instance and deploy Web Application Firewall rules to block file uploads to the plugin's image cache directory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-24666 CRITICAL POC
9.8 Sep 27

The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by def

CVE-2024-32139 HIGH
8.5 Apr 15

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Podlove Podlove Po

CVE-2017-12949 HIGH
8.8 Aug 18

lib\modules\contributors\contributor_list_table.php in the Podlove Podcast Publisher plugin 2.5.3 and earlier for WordPr

CVE-2024-13730 MEDIUM POC
4.8 May 15

The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which cou

CVE-2024-13729 MEDIUM POC
4.8 May 15

The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which co

CVE-2024-43984 HIGH
8.8 Oct 31

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.1.13. Rated h

CVE-2024-32143 HIGH
8.8 Jun 11

Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.1.0. Rated high severity (CVSS 8.8), this vulne

CVE-2023-25472 HIGH
8.8 May 23

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher plugin <= 3.8.3 versions. Rated hig

CVE-2024-32712 HIGH
7.5 May 14

Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.0.14. Rated high severity (CVSS 7.5), this vuln

CVE-2024-29915 HIGH
7.1 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podlove Podlove Po

CVE-2024-32812 MEDIUM
5.4 Apr 24

Server-Side Request Forgery (SSRF) vulnerability in Podlove Podlove Podcast Publisher.0.11. Rated medium severity (CVSS

CVE-2024-43983 MEDIUM
5.4 Sep 18

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Podlove Pod

Share

CVE-2026-13001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy