Skip to main content

PowerPress Podcasting CVE-2026-24637

| EUVDEUVD-2026-36910 HIGH
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-9vmm-hvm2-m29r
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable wp-admin, low complexity, Contributor account required (PR:L), scope changes to DB exposing wp_users/wp_options (C:H); SQLi typically permits limited integrity tampering (I:L), availability unaffected.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:45 vuln.today

DescriptionCVE.org

Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.

AnalysisAI

SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.

Technical ContextAI

PowerPress Podcasting is a popular Blubrry-maintained WordPress plugin used by podcasters to publish RSS feeds, episode metadata, and media players. The CPE cpe:2.3:a:blubrry_podcasting:powerpress_podcasting confirms this single affected product. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input reachable from a Contributor-accessible endpoint is concatenated into a SQL statement without parameterization or proper escaping, allowing the underlying MySQL/MariaDB query to be manipulated.

RemediationAI

Patch available per vendor advisory - upgrade the PowerPress Podcasting plugin to a release later than 11.15.10 via the WordPress plugin dashboard or by replacing the plugin directory; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-plugin-11-15-10-sql-injection-vulnerability for the exact fixed build, as no specific patched version was independently confirmed in the provided intelligence. If immediate patching is not possible, reduce the attack surface by auditing Contributor-role accounts and removing untrusted ones, disabling open user registration in Settings → General (side effect: blocks legitimate signups), and placing a WAF rule (e.g., the Patchstack mu-plugin or Wordfence) in front of the plugin's admin-ajax and REST endpoints to filter SQL metacharacters in PowerPress parameters (side effect: possible false positives on legitimate episode metadata containing quotes). Rotate WordPress secret keys (AUTH_KEY etc.) and database credentials after patching if Contributor accounts are suspected of having been compromised.

Share

CVE-2026-24637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy