CVE-2026-24637

Vulnerability

The PowerPress Podcasting plugin for WordPress versions 11.15.10 and earlier contains a contributor SQL injection vulnerability [1]. The flaw resides in insufficient sanitization of user-supplied input passed to database queries. The vulnerable code path is reachable without requiring authentication or special privileges, making it exploitable by any visitor to a site running the affected plugin.

Exploitation

An attacker can send a crafted HTTP request containing malicious SQL payloads to trigger the injection with no prior authentication or user interaction required [1]. The attacker only needs network access to the target WordPress site. By manipulating input parameters, the attacker can inject arbitrary SQL commands into the underlying database query.

Impact

Successful exploitation allows an attacker to directly interact with the WordPress database, including but not limited to extracting sensitive information such as user credentials, session tokens, and other stored data [1]. This can lead to complete site compromise depending on the data accessed. The CVSS v3 score of 8.5 reflects the high severity of this information disclosure [1].

Mitigation

The vulnerability has been patched in version 11.15.11 [1]. Users are strongly advised to update to version 11.15.11 or later immediately. Patchstack users can enable auto-update for vulnerable plugins only [1]. If unable to update immediately, consult your hosting provider or web developer for assistance. No other workarounds are mentioned in the available references.