Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable wp-admin, low complexity, Contributor account required (PR:L), scope changes to DB exposing wp_users/wp_options (C:H); SQLi typically permits limited integrity tampering (I:L), availability unaffected.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
AnalysisAI
SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.
Technical ContextAI
PowerPress Podcasting is a popular Blubrry-maintained WordPress plugin used by podcasters to publish RSS feeds, episode metadata, and media players. The CPE cpe:2.3:a:blubrry_podcasting:powerpress_podcasting confirms this single affected product. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input reachable from a Contributor-accessible endpoint is concatenated into a SQL statement without parameterization or proper escaping, allowing the underlying MySQL/MariaDB query to be manipulated.
RemediationAI
Patch available per vendor advisory - upgrade the PowerPress Podcasting plugin to a release later than 11.15.10 via the WordPress plugin dashboard or by replacing the plugin directory; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-plugin-11-15-10-sql-injection-vulnerability for the exact fixed build, as no specific patched version was independently confirmed in the provided intelligence. If immediate patching is not possible, reduce the attack surface by auditing Contributor-role accounts and removing untrusted ones, disabling open user registration in Settings → General (side effect: blocks legitimate signups), and placing a WAF rule (e.g., the Patchstack mu-plugin or Wordfence) in front of the plugin's admin-ajax and REST endpoints to filter SQL metacharacters in PowerPress parameters (side effect: possible false positives on legitimate episode metadata containing quotes). Rotate WordPress secret keys (AUTH_KEY etc.) and database credentials after patching if Contributor accounts are suspected of having been compromised.
More in Powerpress Podcasting
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36910
GHSA-9vmm-hvm2-m29r