CVE-2026-32351
Received Received - Intake
Stored XSS in PowerPress Podcasting Plugin

Publication date: 2026-03-13

Last updated on: 2026-03-16

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32351
EUVD
EUVD-2026-11837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blubrry powerpress to 11.15.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32351 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.13.

This vulnerability allows a malicious actor to inject and execute malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”on websites using the affected plugin.

Exploitation requires user interaction by a privileged user (author or developer role) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.

The vulnerability is classified under OWASP Top 10 category A3: Injection and has a CVSS score of 5.9, indicating moderate severity.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

Since exploitation requires interaction by privileged users, it could compromise trusted user sessions or lead to unauthorized actions performed under their credentials.

However, the issue is considered low priority with no impactful threat and is unlikely to be widely exploited.

Updating the plugin to version 11.15.14 or later mitigates this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.13 and involves Stored Cross Site Scripting (XSS). Detection involves identifying if the vulnerable plugin version is installed and if there are any suspicious script injections or unexpected HTML payloads executed on the site.

Since exploitation requires user interaction by privileged users (author or developer roles), monitoring user actions and input fields for malicious scripts can help detect attempts.

Specific commands are not provided in the resources, but general detection steps include:

  • Check the installed version of the PowerPress plugin to see if it is <= 11.15.13.
  • Use WordPress CLI commands to list plugin versions, e.g., `wp plugin list`.
  • Scan the website content and database for suspicious script tags or injected HTML in podcast episode descriptions or other plugin-managed fields.
  • Monitor logs for unusual user activity by privileged users that might indicate exploitation attempts.
Mitigation Strategies

The primary mitigation step is to update the PowerPress Podcasting Plugin to version 11.15.14 or later, where the vulnerability has been patched.

Additional immediate steps include:

  • Restrict privileged user access (authors, developers) to trusted individuals only.
  • Avoid clicking suspicious links or submitting untrusted forms while logged in with privileged roles.
  • Use security plugins or services that provide automatic updates and monitoring for vulnerable plugins.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart