CVE-2026-23798
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Object Injection in PowerPress Podcasting Plugin

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23798
EUVD
EUVD-2026-9595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blubrry powerpress to 11.15.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23798 is a PHP Object Injection vulnerability in the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.10.

This vulnerability allows a malicious actor with at least Contributor or Developer privileges within the WordPress environment to inject PHP objects, potentially leading to code injection, SQL injection, path traversal, denial of service, and other attacks if a suitable Property Oriented Programming (POP) chain is available.

It is classified under the OWASP Top 10 category A3: Injection.

The issue was reported on November 26, 2025, and publicly disclosed on February 25, 2026.

Mitigation involves updating the plugin to version 11.15.11 or later.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and denial of service attacks.

An attacker with sufficient privileges (Contributor or Developer) could exploit this vulnerability to compromise the integrity, confidentiality, and availability of the affected WordPress site.

Such exploitation could lead to loss of control over the website, data corruption, or service outages.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.10 and requires at least Contributor or Developer privileges for exploitation.

Detection can involve monitoring for exploitation attempts targeting PHP Object Injection vulnerabilities in the PowerPress plugin, especially attempts to inject malicious objects or unusual requests to plugin endpoints.

Patchstack provides an immediate mitigation rule to block exploitation attempts, which can also be used as a detection mechanism by monitoring blocked attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the PowerPress Podcasting Plugin to version 11.15.11 or later, where the vulnerability has been patched.

Until the update can be applied, Patchstack offers an immediate mitigation rule to block exploitation attempts.

It is also recommended to implement continuous security monitoring to detect and prevent exploitation of this and similar vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart