{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24385", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-03-05T05:53:49.345Z", "dateUpdated": "2026-04-28T16:14:48.530Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "podlove-web-player", "product": "Podlove Web Player", "vendor": "gerritvanaaken", "versions": [{"changes": [{"at": "5.9.2", "status": "unaffected"}], "lessThanOrEqual": "5.9.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:38.937Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.<p>This issue affects Podlove Web Player: from n/a through <= 5.9.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.530Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-web-player/vulnerability/wordpress-podlove-web-player-plugin-5-9-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Podlove Web Player plugin <= 5.9.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:00:28.356568Z", "id": "CVE-2026-24385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:06:34.743Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24385", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-03-05T05:53:49.345Z", "dateUpdated": "2026-04-28T14:06:34.743Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "podlove-web-player", "product": "Podlove Web Player", "vendor": "gerritvanaaken", "versions": [{"changes": [{"at": "5.9.2", "status": "unaffected"}], "lessThanOrEqual": "5.9.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:18.250Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.<p>This issue affects Podlove Web Player: from n/a through <= 5.9.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.594Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-web-player/vulnerability/wordpress-podlove-web-player-plugin-5-9-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Podlove Web Player plugin <= 5.9.1 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T14:00:28.356568Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:00:19.645Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en gerritvanaaken Podlove Web Player podlove-web-player permite la inyecci\u00f3n de objetos. Este problema afecta a Podlove Web Player: desde n/a hasta &lt;= 5.9.1."}], "id": "CVE-2026-24385", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:22.900", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-web-player/vulnerability/wordpress-podlove-web-player-plugin-5-9-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.9.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.9.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Podlove Web Player", "source": "cna", "vendor": "gerritvanaaken"}, "product": "podlove_web_player", "vendor": "gerritvanaaken"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:45:52.237247+00:00", "value": {"mitigation_remediation": ["Update the Podlove Web Player plugin to the latest version 5.10 or later, which removes the deserialization flaw.", "If an immediate update is not possible, temporarily deactivate or uninstall the plugin until a patch is applied to prevent exploitation. ", "Implement strict input validation and sanitization on the plugin\u2019s data inputs, ensuring no unserialized user data is processed without verification."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Podlove Web Player plugin, developed by gerritvanaaken. Any installation with a version up to and including 5.9.1 is vulnerable; the issue is not present in newer releases beyond 5.9.1.", "description_and_impact": "The vulnerability is a deserialization of untrusted data in the Podlove Web Player plugin, which allows malicious actors to perform PHP object injection. Object injection can lead to arbitrary PHP code execution on the web server, effectively compromising the integrity and confidentiality of the system. The flaw is classified as CWE\u2011502: Insecure Deserialization, indicating that user-controllable data is being unserialized without proper validation.", "risk_and_exploitability": "The CVSS score of 7.5 marks this flaw as high severity. EPSS is reported as <1%, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential impact is significant. Based on the plugin\u2019s nature, exploitation would likely occur via a web request that includes malicious serialized data, possibly through an authenticated WordPress admin interface or a crafted request to the plugin\u2019s endpoints. If an attacker can inject objects, they can execute arbitrary PHP code on the server."}}}}, "created": "2026-03-06T15:13:48.308229+00:00", "updated": "2026-04-16T00:00:14.123648+00:00", "vendors": ["gerritvanaaken", "gerritvanaaken$PRODUCT$podlove_web_player", "wordpress", "wordpress$PRODUCT$wordpress"]}