WordPress Podlove Podcast Publisher Plugin <= 3.8.3 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability exists in the Podlove Podcast Publisher plugin for WordPress. Versions 3.8.3 and earlier are affected [1]. The plugin fails to implement proper CSRF nonces or tokens on certain administrative actions, allowing unauthorized requests to be forged.

Exploitation

An attacker must trick a logged-in WordPress administrator into clicking a malicious link or visiting a specially crafted page while their session is active. No additional authentication is required; the forged request will be executed with the admin’s privileges. The lack of CSRF protection enables the attacker to perform any action that the plugin exposes to administrators, such as changing configuration, importing/exporting data, or modifying episodes.

Impact

Successful exploitation allows an attacker to perform arbitrary administrative actions within the Podlove Podcast Publisher plugin. This could include altering podcast settings, deleting or modifying episodes, changing contributor information, or exfiltrating sensitive data. The attacker does not gain direct access to the underlying server, but can fully control the podcast’s appearance and behavior within WordPress.

Mitigation

The vulnerability has been patched in a later version of the plugin; the latest available release is 4.5.0 [1]. Users should update to the most recent version immediately. If updating is not possible, consider disabling the plugin until a fix can be applied, or use a web application firewall to block malicious requests targeting known CSRF endpoints.