{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32448", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:40.509Z", "datePublished": "2026-03-13T11:42:20.912Z", "dateUpdated": "2026-04-29T09:51:59.723Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "podlove-podcasting-plugin-for-wordpress", "product": "Podlove Podcast Publisher", "vendor": "Eric Teubert", "versions": [{"changes": [{"at": "4.3.4", "status": "unaffected"}], "lessThanOrEqual": "4.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "zaim | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:06.580Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.<p>This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.723Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-podcasting-plugin-for-wordpress/vulnerability/wordpress-podlove-podcast-publisher-plugin-4-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Podlove Podcast Publisher plugin <= 4.3.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T14:39:11.554124Z", "id": "CVE-2026-32448", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T14:39:35.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32448", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T14:39:11.554124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T14:37:41.678Z"}}], "cna": {"title": "WordPress Podlove Podcast Publisher plugin <= 4.3.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "zaim | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eric Teubert", "product": "Podlove Podcast Publisher", "versions": [{"status": "affected", "changes": [{"at": "4.3.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.3.3"}], "packageName": "podlove-podcasting-plugin-for-wordpress", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:06.580Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/podlove-podcasting-plugin-for-wordpress/vulnerability/wordpress-podlove-podcast-publisher-plugin-4-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.<p>This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.723Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32448", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:59.723Z", "dateReserved": "2026-03-12T11:11:40.509Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:20.912Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress permite XSS Almacenado. Este problema afecta a Podlove Podcast Publisher: desde n/a hasta &lt;= 4.3.3."}], "id": "CVE-2026-32448", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:05.680", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-podcasting-plugin-for-wordpress/vulnerability/wordpress-podlove-podcast-publisher-plugin-4-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.3.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Podlove Podcast Publisher", "source": "cna", "vendor": "Eric Teubert"}, "product": "podlove_podcast_publisher", "vendor": "eric_teubert"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:43:44.363057+00:00", "value": {"mitigation_remediation": ["Upgrade the Podlove Podcast Publisher plugin to version 4.3.4 or later, which removes the stored\u2011XSS flaw.", "If an update cannot be performed immediately, temporarily deactivate or uninstall the plugin to eliminate the attack surface.", "Implement a content security policy (CSP) that restricts the sources of executable scripts to mitigate the impact of any remaining XSS payloads."], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting (XSS)"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Podlove Podcast Publisher by Eric Teubert for WordPress, impacting all plugin releases from the initial version up to and including 4.3.3. No specific lower bound was identified; versions 4.3.4 and later are considered corrected.", "description_and_impact": "The Podlove Podcast Publisher plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation vulnerability (CWE\u201179) that allows stored cross\u2011site scripting (XSS). The flaw resides in the plugin\u2019s handling of podcast metadata, enabling an attacker who can insert content into the plugin\u2019s database to persist malicious JavaScript that is later rendered when the content is viewed. Successful exploitation can lead to client\u2011side code execution in the context of site visitors, potentially resulting in session hijacking, cookie theft, defacement, or other unintended client\u2011side activity.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of below 1\u202f% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires a user with permission to create or edit podcast entries, allowing injection of malicious content that is stored in the database. The attack vector is remote and web\u2011based, executed through the normal WordPress interface by an authenticated user, and the impact is confined to the site\u2019s users who view the corrupted content."}}}}, "created": "2026-03-16T09:33:17.339756+00:00", "updated": "2026-03-23T12:03:17.487260+00:00", "vendors": ["eric_teubert", "eric_teubert$PRODUCT$podlove_podcast_publisher", "wordpress", "wordpress$PRODUCT$wordpress"]}