CVE-2025-59584

The Penci Podcast plugin for WordPress, versions up to and including 1.6, contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary scripts into web pages served by the plugin.

Exploitation requires a user with certain privileges, such as a contributor or higher, to perform an action like clicking a malicious link or submitting a crafted form [1]. The attack is triggered DOM-side, meaning the malicious payload executes in the browser of a visitor when the manipulated page is loaded.

Successful exploitation allows an attacker to inject malicious scripts that can redirect visitors, display unwanted advertisements, or steal sensitive information [1]. The CVSS v3 score is 6.5 (Medium), reflecting the need for user interaction and the potential for moderate impact.

To mitigate this vulnerability, users should update the Penci Podcast plugin to version 1.7 or later [1]. Patchstack users can enable auto-updates for vulnerable plugins. As this vulnerability is used in mass-exploit campaigns, immediate action is recommended [1].