CVE-2025-0554

CWE-79Cross-site Scripting (XSS)CWE-8234 documents4 sources
Severity
4.0MEDIUM
EPSS
0.1%
top 77.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Podlove Podlove Podcast PublisherEteubert Podlove Podcast Publisher
Timeline
PublishedJan 18

Description

The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages2 packages

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-8wxc-r8x6-h56h: The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version <= 42025-01-18
CVEList
Podlove Podcast Publisher <= 4.1.25 - Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name2025-01-18

📋Vendor Advisories

1
Microsoft
Use of Out-of-range Pointer Offset in vim/vim2022-02-08