CVE-2025-64201

Vulnerability

Overview A Cross-Site Request Forgery (CSRF) vulnerability exists in the PowerPress Podcasting plugin for WordPress, affecting versions from n/a through 11.13.12 [1]. The plugin fails to implement proper CSRF tokens or validation on certain actions, allowing attackers to craft malicious requests that can be executed by authenticated users.

Exploitation

Details Exploitation requires user interaction: a privileged user (e.g., administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form [1]. The attacker does not need authentication but relies on the victim's active session. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites.

Impact

Successful exploitation could allow an attacker to force the victim to perform unintended actions under their current authentication, such as modifying plugin settings, creating new podcast episodes, or other administrative tasks [1]. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact.

Mitigation

The vulnerability has been patched in version 11.14 of the plugin [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update, consult a hosting provider for assistance.