Podlove Podcast Publisher <= 4.2.2 - Cross-Site Request Forgery via ajax_transcript_delete Function
Description
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Podlove Podcast Publisher plugin for WordPress up to version 4.2.2 is vulnerable to CSRF in ajax_transcript_delete(), allowing unauthenticated attackers to delete episode transcripts via a forged request.
Vulnerability
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 4.2.2 [1]. The issue resides in the ajax_transcript_delete() function, which lacks proper nonce validation. This makes the function susceptible to CSRF attacks, enabling an attacker to trick a site administrator into performing unintended actions.
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that deletes arbitrary episode transcripts. The attacker must trick a site administrator (with appropriate permissions) into performing an action, such as clicking on a crafted link. No prior authentication or special network access is required for the attacker, only the ability to deliver the forged request to a logged-in administrator.
Impact
Successful exploitation allows an attacker to delete arbitrary episode transcripts from the WordPress site. This results in a loss of data availability, potentially disrupting the podcast content and the user experience. The attacker gains no direct code execution or privilege escalation, but data deletion can have significant operational impact.
Mitigation
The vendor has released version 4.5.0 (last updated 2026-05-15) which likely contains the fix, though the reference does not explicitly confirm CSRF protections [1]. Users should update to the latest version (4.5.0 or higher) as soon as possible. No workaround is documented; the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=4.2.2
- Range: 0
Patches
23f37989e000frelease 4.2.3
1 file changed · +1 −1
podlove.php+1 −1 modified@@ -2,7 +2,7 @@ /** * Plugin Name: Podlove Podcast Publisher * Plugin URI: https://podlove.org/podlove-podcast-publisher/ - * Version: 4.2.2 + * Version: 4.2.3 * Requires at least: 4.9.6 * Requires PHP: 8.0 * Author: Podlove
r3246867Vulnerability mechanics
Root cause
"Missing or incorrect nonce validation on the ajax_transcript_delete() function allows Cross-Site Request Forgery."
Attack vector
An unauthenticated attacker can craft a forged request targeting the `ajax_transcript_delete()` function, which lacks nonce validation [patch_id=1720505]. By tricking a site administrator into clicking a malicious link or visiting a crafted page, the attacker can trigger the deletion of arbitrary episode transcripts. The attack requires no authentication on the attacker's part, only that the victim administrator performs an action such as clicking a link.
Affected code
The vulnerability exists in the `ajax_transcript_delete()` function within the Podlove Podcast Publisher plugin. The specific file is not shown in the patch diff, but the patch adds nonce validation to this AJAX handler.
What the fix does
The patch [patch_id=1720505] adds a `check_ajax_referer()` call to the `ajax_transcript_delete()` function, which validates a WordPress nonce before processing the deletion request. This closes the CSRF vulnerability by ensuring the request originated from the legitimate admin interface rather than from an external forged link. The version bump in [patch_id=1720504] updates the plugin version to 4.2.3.
Preconditions
- authA site administrator must be logged into WordPress and tricked into performing an action (e.g., clicking a link)
- inputThe attacker must craft a forged request targeting the ajax_transcript_delete() function
- networkThe attacker must have network access to the WordPress site
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.0/lib/modules/transcripts/transcripts.phpmitre
- plugins.trac.wordpress.org/changeset/3246867/mitre
- wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27fmitre
News mentions
0No linked articles in our index yet.