CVE-2025-47597

The WP Podcasts Manager plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.3. The root cause is the absence of CSRF protection on certain administrative actions, enabling an attacker to trick a logged-in administrator into executing unwanted operations without their consent [1].

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated. The attacker does not need any prior authentication or special network access, as the attack can be delivered via email, social engineering, or by embedding the malicious link on a third-party site [1].

Successful exploitation allows the attacker to force the victim to perform actions under their current session, such as modifying plugin settings, deleting podcast episodes, or altering configuration. This could lead to unauthorized changes or data loss, though the impact is limited to actions the victim user is permitted to perform [1].

The vulnerability has been addressed in version 1.4 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. While the CVSS score is 4.3 (Medium), such CSRF flaws are frequently targeted in mass-exploit campaigns against WordPress sites [1].