CVE-2026-23798
Deserialization Object Injection in PowerPress Podcasting Plugin
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blubrry | powerpress | to 11.15.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23798 is a PHP Object Injection vulnerability in the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.10.
This vulnerability allows a malicious actor with at least Contributor or Developer privileges within the WordPress environment to inject PHP objects, potentially leading to code injection, SQL injection, path traversal, denial of service, and other attacks if a suitable Property Oriented Programming (POP) chain is available.
It is classified under the OWASP Top 10 category A3: Injection.
The issue was reported on November 26, 2025, and publicly disclosed on February 25, 2026.
Mitigation involves updating the plugin to version 11.15.11 or later.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and denial of service attacks.
An attacker with sufficient privileges (Contributor or Developer) could exploit this vulnerability to compromise the integrity, confidentiality, and availability of the affected WordPress site.
Such exploitation could lead to loss of control over the website, data corruption, or service outages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.10 and requires at least Contributor or Developer privileges for exploitation.
Detection can involve monitoring for exploitation attempts targeting PHP Object Injection vulnerabilities in the PowerPress plugin, especially attempts to inject malicious objects or unusual requests to plugin endpoints.
Patchstack provides an immediate mitigation rule to block exploitation attempts, which can also be used as a detection mechanism by monitoring blocked attempts.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the PowerPress Podcasting Plugin to version 11.15.11 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack offers an immediate mitigation rule to block exploitation attempts.
It is also recommended to implement continuous security monitoring to detect and prevent exploitation of this and similar vulnerabilities.