Skip to main content

Fresh Podcaster

1 CVEs product

Monthly

CVE-2026-1382 MEDIUM This Month

Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.

WordPress XSS Fresh Podcaster
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.

WordPress XSS Fresh Podcaster
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy