Skip to main content

Seriously Simple Podcasting EUVDEUVD-2026-20170

| CVE-2026-39505 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-cf7f-xm6m-hvfh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20170
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.2.

AnalysisAI

Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.

Technical ContextAI

This vulnerability falls under CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to enforce proper permission checks on sensitive operations or data access. In the Seriously Simple Podcasting WordPress plugin, the broken access control logic allows unauthenticated users (PR:N in CVSS vector) to exploit misconfigured security levels that should restrict access to podcast metadata or configuration. The plugin, distributed as cpe:2.3:a:craig_hewitt:seriously_simple_podcasting:*:*:*:*:*:*:*:*, implements insufficient validation of user roles or capabilities before serving protected podcast resources. WordPress plugins rely on the plugin_can_be_activated_on_this_site() and current_user_can() functions to enforce access; failure to call these functions on sensitive endpoints directly results in authorization bypass.

RemediationAI

Upgrade Craig Hewitt Seriously Simple Podcasting to version 3.14.3 or later. The vendor has released a patched version addressing the access control misconfiguration; WordPress administrators should navigate to their plugin dashboard, locate Seriously Simple Podcasting, and apply the available update. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-2-broken-access-control-vulnerability?_s_id=cve) for detailed patch notes. In the interim, restrict direct access to sensitive podcast endpoints via Web Application Firewall rules if upgrade timing cannot be expedited.

Share

EUVD-2026-20170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy