Podlove Podcast Publisher < 4.1.24 - Admin+ Stored XSS
Description
The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Podlove Podcast Publisher plugin before 4.1.24 fails to sanitize settings, allowing admin-level stored XSS even without unfiltered_html.
Vulnerability
The Podlove Podcast Publisher WordPress plugin, versions before 4.1.24, fails to properly sanitize and escape certain settings. This allows high-privilege users, such as administrators, to inject arbitrary web scripts or HTML into settings fields, which are then stored and executed in the context of the admin dashboard. The vulnerability exists because the plugin does not apply sufficient output escaping on these settings. [1]
Exploitation
To exploit this vulnerability, an attacker must have administrator-level access to the WordPress site. In a standard setup, the attacker can simply navigate to the plugin's settings page and inject malicious script code into the unsanitized fields. The attack is classified as Stored XSS because the payload is permanently stored and will execute when other administrators (or the attacker in a subsequent session) view the affected settings page. In multisite configurations, even if the unfiltered_html capability is disallowed (which typically prevents non-super-admin users from posting unfiltered HTML), an admin who is not a super-admin can still exploit this weakness. [1]
Impact
A successful Stored XSS attack can lead to a wide range of malicious activities: the attacker can steal session cookies, exfiltrate sensitive data, perform actions on behalf of other admin users (such as creating new admin accounts or inserting backdoors), and deface the site. The overall impact includes compromise of the WordPress admin interface and privilege escalation within the site, potentially leading to full site takeover. [1]
Mitigation
The Podlove Podcast Publisher plugin has addressed this vulnerability in version 4.1.24. The fix was included in the plugin's 4.1.24 release, which is available from the WordPress plugin repository. All users are strongly advised to update to version 4.1.24 or later immediately. There is no known workaround other than updating, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. [1]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <4.1.24
Patches
14d2dc36dc016Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/2feed26b-ef02-4954-ab9d-8b0f958b0ef1/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.