Fresh Podcaster
Monthly
Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.
Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.