{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24360", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-01-22T16:52:44.261Z", "dateUpdated": "2026-04-28T16:14:47.972Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "seriously-simple-podcasting", "product": "Seriously Simple Podcasting", "vendor": "Craig Hewitt", "versions": [{"changes": [{"at": "3.14.2", "status": "unaffected"}], "lessThanOrEqual": "3.14.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:03.770Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.<p>This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.972Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Seriously Simple Podcasting plugin <= 3.14.1 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T20:39:56.185132Z", "id": "CVE-2026-24360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:49:16.193Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T20:39:56.185132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T20:39:45.329Z"}}], "cna": {"title": "WordPress Seriously Simple Podcasting plugin <= 3.14.1 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Craig Hewitt", "product": "Seriously Simple Podcasting", "versions": [{"status": "affected", "changes": [{"at": "3.14.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.14.1"}], "packageName": "seriously-simple-podcasting", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:03.770Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.<p>This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24360", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:47.972Z", "dateReserved": "2026-01-22T14:42:24.567Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:44.261Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta a Seriously Simple Podcasting: desde n/a hasta &lt;= 3.14.1."}], "id": "CVE-2026-24360", "lastModified": "2026-04-28T03:16:03.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:39.700", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:31:55.708987+00:00", "value": {"mitigation_remediation": ["Upgrade Seriously\u202fSimple\u202fPodcasting to version\u202f3.15 or later to remove the SSRF defect.", "If an update cannot be applied immediately, disable the plugin on the WordPress installation to eliminate the attack surface.", "Review server logs for unexpected outbound requests originating from the plugin and consider network\u2011level filtering to block unauthorized outbound traffic during the remediation period."], "summary": {"action": "Patch Now", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw is present in all releases of Seriously\u202fSimple\u202fPodcasting distributed by Craig\u202fHewitt up to and including version\u202f3.14.1. WordPress sites who have installed any of those versions are therefore vulnerable until a patched release is applied.", "description_and_impact": "The vulnerability is a Server\u2011Side Request Forgery in Craig Hewitt\u2019s Seriously\u202fSimple\u202fPodcasting WordPress plugin, enabling an attacker to cause the server to perform arbitrary HTTP requests. This weakness is categorized as CWE\u2011918. Because the plugin accepts external URLs as input, the flaw can be exploited to direct the host to query any internal or external resource, potentially exposing data or triggering unintended actions. The vulnerability description does not specify the exact handling of the request, so the extent of potential damage is inferred from the general behavior of SSRF flaws.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate severity, while the EPSS score of less than\u202f1\u202f% suggests a low probability of active exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the nature of SSRF, we infer that an attacker would need to supply a crafted URL or media reference to the plugin, which would then be forwarded by the host; with successful exploitation, the attacker could force outbound network traffic, potentially reaching internal resources or communicating with external endpoints. The current data do not confirm any known exploitation campaigns."}}}}, "created": "2026-01-23T16:28:07.991267+00:00", "updated": "2026-04-28T22:45:25.932211+00:00", "vendors": ["craig_hewitt", "craig_hewitt$PRODUCT$seriously_simple_podcasting", "wordpress", "wordpress$PRODUCT$wordpress"]}