{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2988", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-22T19:41:30.680Z", "datePublished": "2026-04-08T02:25:40.994Z", "dateUpdated": "2026-04-08T17:28:15.802Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:15.802Z"}, "affected": [{"vendor": "blubrry", "product": "PowerPress Podcasting plugin by Blubrry", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "11.15.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473781/powerpress"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-25T19:37:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T13:33:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:47:25.742606Z", "id": "CVE-2026-2988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:14:16.034Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:47:25.742606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:47:26.738Z"}}], "cna": {"title": "Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "blubrry", "product": "PowerPress Podcasting plugin by Blubrry", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "11.15.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-25T19:37:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T13:33:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473781/powerpress"}], "descriptions": [{"lang": "en", "value": "The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T02:25:40.994Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2988", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:14:16.034Z", "dateReserved": "2026-02-22T19:41:30.680Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T02:25:40.994Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2988", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T04:17:00.897", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3473781/powerpress"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.15.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PowerPress Podcasting plugin by Blubrry", "source": "cna", "vendor": "blubrry"}, "product": "powerpress_podcasting_plugin_by_blubrry", "vendor": "blubrry"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T04:50:23.094042+00:00", "value": {"mitigation_remediation": ["Update the PowerPress plugin to a version newer than 11.15.15."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vulnerable products are Blubrry PowerPress Podcasting plugin versions 11.15.15 and earlier. The plugin is installed as a WordPress extension that lets contributors embed podcast feeds using shortcodes; any user with contributor, author, editor, or administrator privileges can create or edit content containing the vulnerable shortcodes.", "description_and_impact": "The Blubrry PowerPress Podcasting plugin for WordPress allows contributors and higher users to embed podcast content with shortcodes. In affected releases the plugin fails to properly sanitize or escape data supplied through the powerpress and podcast shortcodes, enabling an authenticated attacker to persist arbitrary JavaScript in a post or page. When a visitor loads the page, the script executes in their browser, potentially hijacking the session, defacing the site, or performing other malicious actions on behalf of the user. This weakness is a classic stored XSS whose consequences involve confidentiality, integrity, and availability of the site\u2019s content and user sessions.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. Exploit probability information is currently unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires the attacker to have authenticated contributor\u2011level access to the WordPress site, after which they can inject malicious payloads that remain stored and affect every visitor who views the affected page. The likely vector is an authenticated user modifying content on the site."}}}}, "created": "2026-04-08T19:33:30.212043+00:00", "updated": "2026-04-08T19:44:07.370511+00:00", "vendors": ["blubrry", "blubrry$PRODUCT$powerpress_podcasting_plugin_by_blubrry", "wordpress", "wordpress$PRODUCT$wordpress"]}