{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23798", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.503Z", "datePublished": "2026-03-05T05:53:48.543Z", "dateUpdated": "2026-04-28T16:14:46.858Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "powerpress", "product": "PowerPress Podcasting", "vendor": "blubrry", "versions": [{"changes": [{"at": "11.15.11", "status": "unaffected"}], "lessThanOrEqual": "11.15.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:31.032Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.<p>This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.858Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-plugin-11-15-10-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress PowerPress Podcasting plugin <= 11.15.10 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:24:29.494704Z", "id": "CVE-2026-23798", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:43:56.377Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23798", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T14:24:29.494704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:24:24.630Z"}}], "cna": {"title": "WordPress PowerPress Podcasting plugin <= 11.15.10 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "blubrry", "product": "PowerPress Podcasting", "versions": [{"status": "affected", "changes": [{"at": "11.15.11", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "11.15.10"}], "packageName": "powerpress", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:14.300Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-plugin-11-15-10-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.<p>This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.632Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23798", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:43:56.377Z", "dateReserved": "2026-01-16T14:15:17.503Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:48.543Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10."}, {"lang": "es", "value": "Vulnerabilidad de Deserializaci\u00f3n de Datos No Confiables en blubrry PowerPress Podcasting powerpress permite la Inyecci\u00f3n de Objetos. Este problema afecta a PowerPress Podcasting: desde n/a hasta &lt;= 11.15.10."}], "id": "CVE-2026-23798", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:22.363", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-plugin-11-15-10-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.15.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerPress Podcasting", "source": "cna", "vendor": "blubrry"}, "product": "powerpress_podcasting", "vendor": "blubrry"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:16:34.238181+00:00", "value": {"mitigation_remediation": ["Upgrade the PowerPress Podcasting plugin to version 11.15.11 or later to remove the deserialization vulnerability.", "If upgrading is not immediately possible, completely disable or delete the plugin from the WordPress installation to eliminate the attack surface.", "Ensure that any remaining input accepted by the plugin is properly validated and sanitized, and avoid using PHP's unserialize() on untrusted data."], "summary": {"action": "Apply Patch", "impact": "Object Injection leading to potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the PowerPress Podcasting plugin with versions up to and including 11.15.10 are affected. Users with any earlier or unspecified versions should verify their installation and upgrade if necessary.", "description_and_impact": "The vulnerability is a Deserialization of Untrusted Data flaw that permits Object Injection in the blubrry PowerPress Podcasting WordPress plugin. By manipulating serialized input data, an attacker could create arbitrary objects that may execute code on the server during deserialization, potentially compromising confidentiality, integrity, and availability of the affected website.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is reported as less than 1%, showing low but nonzero exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the flaw can be exploited through crafted HTTP requests that deliver malicious serialized data to the plugin\u2019s deserialization endpoint, suggesting a remote, web-based exploitation path."}}}}, "created": "2026-03-06T15:13:51.750138+00:00", "updated": "2026-04-16T05:30:25.783707+00:00", "vendors": ["blubrry", "blubrry$PRODUCT$powerpress_podcasting", "wordpress", "wordpress$PRODUCT$wordpress"]}