Skip to main content

Powerpress Podcasting Plugin By Blubrry

1 CVEs product

Monthly

CVE-2026-12098 MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy