CVE-2026-32351
Stored XSS in PowerPress Podcasting Plugin
Publication date: 2026-03-13
Last updated on: 2026-03-16
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blubrry | powerpress | to 11.15.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32351 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.13.
This vulnerability allows a malicious actor to inject and execute malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβon websites using the affected plugin.
Exploitation requires user interaction by a privileged user (author or developer role) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability is classified under OWASP Top 10 category A3: Injection and has a CVSS score of 5.9, indicating moderate severity.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Since exploitation requires interaction by privileged users, it could compromise trusted user sessions or lead to unauthorized actions performed under their credentials.
However, the issue is considered low priority with no impactful threat and is unlikely to be widely exploited.
Updating the plugin to version 11.15.14 or later mitigates this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress PowerPress Podcasting Plugin versions up to and including 11.15.13 and involves Stored Cross Site Scripting (XSS). Detection involves identifying if the vulnerable plugin version is installed and if there are any suspicious script injections or unexpected HTML payloads executed on the site.
Since exploitation requires user interaction by privileged users (author or developer roles), monitoring user actions and input fields for malicious scripts can help detect attempts.
Specific commands are not provided in the resources, but general detection steps include:
- Check the installed version of the PowerPress plugin to see if it is <= 11.15.13.
- Use WordPress CLI commands to list plugin versions, e.g., `wp plugin list`.
- Scan the website content and database for suspicious script tags or injected HTML in podcast episode descriptions or other plugin-managed fields.
- Monitor logs for unusual user activity by privileged users that might indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the PowerPress Podcasting Plugin to version 11.15.14 or later, where the vulnerability has been patched.
Additional immediate steps include:
- Restrict privileged user access (authors, developers) to trusted individuals only.
- Avoid clicking suspicious links or submitting untrusted forms while logged in with privileged roles.
- Use security plugins or services that provide automatic updates and monitoring for vulnerable plugins.