{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1383", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-16T23:08:11.128Z", "datePublished": "2025-03-06T11:11:01.134Z", "dateUpdated": "2026-04-08T16:32:22.031Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:22.031Z"}, "affected": [{"vendor": "eteubert", "product": "Podlove Podcast Publisher", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Podlove Podcast Publisher <= 4.2.2 - Cross-Site Request Forgery via ajax_transcript_delete Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.0/lib/modules/transcripts/transcripts.php#L223"}, {"url": "https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3246867/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abbas Mamoun"}], "timeline": [{"time": "2025-03-05T21:31:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-06T16:19:26.452623Z", "id": "CVE-2025-1383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:19:43.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T16:19:26.452623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:19:31.340Z"}}], "cna": {"title": "Podlove Podcast Publisher <= 4.2.2 - Cross-Site Request Forgery via ajax_transcript_delete Function", "credits": [{"lang": "en", "type": "finder", "value": "Abbas Mamoun"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "eteubert", "product": "Podlove Podcast Publisher", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-05T21:31:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.0/lib/modules/transcripts/transcripts.php#L223"}, {"url": "https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3246867/"}], "descriptions": [{"lang": "en", "value": "The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:22.031Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1383", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:22.031Z", "dateReserved": "2025-02-16T23:08:11.128Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-06T11:11:01.134Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:podlove:podlove_podcast_publisher:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7A0BCD51-C042-4529-9BBC-8D02DF2ABD9D", "versionEndExcluding": "4.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Podlove Podcast Publisher para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 4.2.2 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la funci\u00f3n ajax_transcript_delete(). Esto permite que atacantes no autenticados eliminen transcripciones de episodios arbitrarios a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-1383", "lastModified": "2025-03-19T20:47:28.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-06T12:15:35.937", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.0/lib/modules/transcripts/transcripts.php#L223"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3246867/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:52:25.627382+00:00", "value": {"mitigation_remediation": ["Upgrade Podlove Podcast Publisher to version 4.2.3 or newer to restore proper nonce validation", "If an upgrade cannot be performed immediately, limit access to the ajax_transcript_delete endpoint by disabling the plugin or the related admin menu for users without the \"edit_posts\" capability", "Implement custom role checks or a temporary CSRF guard\u2014ensure that only authenticated users with the correct capability can call the deletion routine and verify a valid nonce before the action is performed"], "summary": {"action": "Upgrade plugin", "impact": "Cross\u2011Site Request Forgery resulting in deletion of episode transcripts"}, "threat_synthesis": {"affected_systems": "WordPress sites running any version of the Podlove Podcast Publisher plugin up to and including 4.2.2. The flaw is present in all installations of the plugin prior to the 4.2.3 release, regardless of other theme or plugin configurations.", "description_and_impact": "The vulnerability is a classic CSRF flaw in the Podlove Podcast Publisher WordPress plugin. The ajax_transcript_delete() function does not properly validate the nonce field, allowing an unauthenticated attacker to craft a request that a logged\u2011in administrator might unknowingly execute. The consequence is the loss or alteration of transcript data, which can compromise the integrity of the podcast publishing process and potentially disrupt listeners\u2019 access to episode information.", "risk_and_exploitability": "The CVSS score is 4.3, rating the vulnerability as low to moderate severity. With an EPSS score of less than 1%, spontaneous exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is feasible for any attacker who can entice a site administrator to click a malicious link or submit a forged form. The lack of nonce verification means that a single click can trigger transcript deletion without further interaction, giving the attacker an immediate and destructive impact."}}}}, "created": "2026-04-22T18:00:05.479040+00:00", "updated": "2026-04-22T18:00:05.479051+00:00", "vendors": []}