Podlove Podcast Publisher < 4.2.1 - Admin+ Stored XSS

Vulnerability

The Podlove Podcast Publisher WordPress plugin versions before 4.2.1 lack proper sanitization and escaping of some plugin settings. This flaw allows high-privilege users such as administrators to inject arbitrary JavaScript into the application when saving these settings. The vulnerability is especially impactful in multisite installations where the unfiltered_html capability is normally disallowed for administrators, as the plugin does not respect this restriction [1].

Exploitation

An attacker with administrator-level access to the WordPress site (including a super-administrator on a network) can inject a malicious script into an unsuspecting plugin setting field. When the setting is saved and later rendered on the admin dashboard or front-end pages, the stored script executes in the browser of any user visiting that page, including other administrators. Successful exploitation requires the attacker to have the ability to modify plugin settings [1].

Impact

A successful Stored Cross-Site Scripting (XSS) attack can lead to session hijacking, redirection to malicious sites, theft of authentication cookies, or further privilege escalation within the WordPress admin context. The attacker can perform any action the victim admin can, including creating new admin accounts, modifying site content, or installing malicious plugins [1].

Mitigation

The vulnerability is fixed in version 4.2.1 of the Podlove Podcast Publisher plugin, released on 2024-11-28. Site administrators should update to this version or later immediately. There is no known workaround if updating is not possible; disabling the plugin or restricting admin access are temporary measures. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].