CVE-2026-32448
Stored XSS in Podlove Podcast Publisher Plugin
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eric_teubert | podlove_podcast_publisher | to 4.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32448 is a Cross Site Scripting (XSS) vulnerability in the WordPress Podlove Podcast Publisher Plugin versions up to and including 4.3.3.
This vulnerability allows a malicious actor to inject and execute malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβon websites using the affected plugin.
Exploitation requires user interaction by a privileged user with at least Contributor or Developer roles, who must perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Because exploitation requires interaction by a privileged user, the impact is somewhat limited but can still compromise the integrity and security of your website.
The CVSS score of 6.5 indicates moderate severity, meaning it is a significant risk but not critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the Podlove Podcast Publisher WordPress plugin up to version 4.3.3. Detection typically involves identifying malicious script injections in web pages generated by the plugin.
Since exploitation requires a privileged user interaction (Contributor or Developer roles), monitoring logs for suspicious user actions such as unexpected form submissions, clicks on unusual links, or visits to crafted pages can help detect attempts.
Specific commands are not provided in the available resources, but general approaches include:
- Reviewing web server logs for unusual POST requests or URL parameters related to the plugin.
- Using web vulnerability scanners that support detection of stored XSS vulnerabilities on WordPress plugins.
- Manually inspecting input fields and stored content generated by the plugin for injected scripts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the Podlove Podcast Publisher plugin to version 4.3.4 or later, where the vulnerability has been patched.
Additionally, limiting privileged user interactions and educating users with Contributor or Developer roles to avoid clicking suspicious links or submitting untrusted forms can reduce exploitation risk.
Using automated update tools like Patchstack can help rapidly deploy the patch and mitigate the vulnerability.