Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.2.
AnalysisAI
Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.
Technical ContextAI
This vulnerability falls under CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to enforce proper permission checks on sensitive operations or data access. In the Seriously Simple Podcasting WordPress plugin, the broken access control logic allows unauthenticated users (PR:N in CVSS vector) to exploit misconfigured security levels that should restrict access to podcast metadata or configuration. The plugin, distributed as cpe:2.3:a:craig_hewitt:seriously_simple_podcasting:*:*:*:*:*:*:*:*, implements insufficient validation of user roles or capabilities before serving protected podcast resources. WordPress plugins rely on the plugin_can_be_activated_on_this_site() and current_user_can() functions to enforce access; failure to call these functions on sensitive endpoints directly results in authorization bypass.
RemediationAI
Upgrade Craig Hewitt Seriously Simple Podcasting to version 3.14.3 or later. The vendor has released a patched version addressing the access control misconfiguration; WordPress administrators should navigate to their plugin dashboard, locate Seriously Simple Podcasting, and apply the available update. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-2-broken-access-control-vulnerability?_s_id=cve) for detailed patch notes. In the interim, restrict direct access to sensitive podcast endpoints via Web Application Firewall rules if upgrade timing cannot be expedited.
More in Seriously Simple Podcasting
View allThe Seriously Simple Podcasting WordPress plugin before 3.3.0 does not sanitise and escape some of its settings, which c
The Seriously Simple Podcasting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of a
Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20170
GHSA-cf7f-xm6m-hvfh