{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27058", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.505Z", "datePublished": "2026-02-19T08:27:10.631Z", "dateUpdated": "2026-04-28T16:15:00.830Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "penci-podcast", "product": "Penci Podcast", "vendor": "PenciDesign", "versions": [{"lessThanOrEqual": "1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:13.192Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.<p>This issue affects Penci Podcast: from n/a through <= 1.7.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:00.830Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/penci-podcast/vulnerability/wordpress-penci-podcast-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Penci Podcast plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:17:23.204482Z", "id": "CVE-2026-27058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:51:36.545Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T17:17:23.204482Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:17:17.889Z"}}], "cna": {"title": "WordPress Penci Podcast plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PenciDesign", "product": "Penci Podcast", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7"}], "packageName": "penci-podcast", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:27:00.799Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/penci-podcast/vulnerability/wordpress-penci-podcast-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.<p>This issue affects Penci Podcast: from n/a through <= 1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.663Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27058", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:51:36.545Z", "dateReserved": "2026-02-17T13:23:30.505Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:10.631Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en PenciDesign Penci Podcast penci-podcast permite XSS basado en DOM. Este problema afecta a Penci Podcast: desde n/a hasta &lt;= 1.7."}], "id": "CVE-2026-27058", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:27.097", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/penci-podcast/vulnerability/wordpress-penci-podcast-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Penci Podcast", "source": "cna", "vendor": "PenciDesign"}, "product": "penci_podcast", "vendor": "pencidesign"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:07:51.830512+00:00", "value": {"mitigation_remediation": ["Upgrade the Penci Podcast plugin to the latest available version where the XSS flaw is fixed.", "If an upgrade is not immediately possible, disable the plugin or remove it from the site to eliminate the attack surface.", "Implement input sanitization policies and consider using a web application firewall to detect and block malicious script payloads."], "summary": {"action": "Patch", "impact": "Cross\u2011site Scripting (DOM\u2011based XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is WordPress Penci Podcast plugin provided by PenciDesign. Versions from the earliest release through version 1.7 are vulnerable; no specific version numbers are listed beyond the upper bound. Security\u2011aware administrators should ensure that the plugin is updated to a later release where the issue is resolved. The plugin runs within the WordPress environment on any server that hosts a WordPress site and uses the Penci Podcast add\u2011on.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts via DOM manipulation. This leads to cross\u2011site scripting that can execute arbitrary JavaScript when affected users view pages rendered by the plugin. The weakness is captured as CWE\u201179. No details about remote code execution are provided; impact is restricted to compromise of local user session and potential data exfiltration or defacement. The flaw is limited to the Penci Podcast plugin version <=1.7, and it is a DOM\u2011based XSS rather than a server\u2011side injection.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity. The EPSS probability is very low (<1%), and the vulnerability is not listed in the CISA KEV catalog, implying no known exploitation in the wild. However, because the flaw permits execution of arbitrary JavaScript in the context of a legitimate user, it could be leveraged to steal cookies, perform phishing, or inject further malware. The likely attack vector involves a user visiting a page containing a crafted URL or a malicious link that triggers the plugin\u2019s rendering logic; no authentication or privilege escalation is required. Given the low EPSS, the risk is moderate, but site owners should still address it promptly."}}}}, "created": "2026-02-20T10:08:04.071959+00:00", "updated": "2026-04-16T00:15:18.637221+00:00", "vendors": ["pencidesign", "pencidesign$PRODUCT$penci_podcast", "wordpress", "wordpress$PRODUCT$wordpress"]}