Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
AnalysisAI
Server-Side Request Forgery (SSRF) in Podigee plugin versions up to 1.4.0 allows remote attackers to make arbitrary HTTP requests from the affected server to internal or external resources without authentication. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact across trust boundaries (AV:N/AC:H/PR:N). EPSS exploitation probability is very low at 0.02% (4th percentile), indicating minimal real-world attack likelihood despite public vulnerability disclosure.
Technical ContextAI
Server-Side Request Forgery (CWE-918) vulnerabilities occur when an application makes HTTP requests based on untrusted user input without proper validation or allowlisting. In the Podigee WordPress plugin, the application likely accepts user-controlled URLs or parameters that are passed to backend request libraries (such as PHP's file_get_contents, cURL, or equivalent), enabling attackers to redirect requests to internal services (localhost, private IP ranges, internal APIs), external targets, or cloud metadata endpoints. The Podigee plugin (CPE: cpe:2.3:a:podigee:podigee:*:*:*:*:*:*:*:*) is a WordPress audio/podcast hosting and management tool that handles media URLs and feeds; the SSRF likely exists in functionality that fetches external podcast feeds, metadata, or media files.
RemediationAI
Update the Podigee plugin to a version later than 1.4.0 as soon as a patched release becomes available through the official WordPress plugin repository. Until a patch is released, disable or restrict access to Podigee plugin features that accept external URLs or fetch remote content (such as feed import functionality) if possible, and implement network-level restrictions to prevent the WordPress server from accessing internal infrastructure (using firewall rules or security groups to deny outbound connections to private IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and cloud metadata endpoints). For detailed remediation guidance, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/podigee/vulnerability/wordpress-podigee-plugin-1-4-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20392
GHSA-3j6c-rq24-cp7j