Blubrry PowerPress < 11.15.3 – Authenticated (Contributor+) Arbitrary File Upload via 'powerpress_edit_post' | CVE 2025-13536 | Plugin Vulnerabilities

Description

The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 11.15.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d420ee49-e7b3-43d8-a263-8a93abd1133c

Miscellaneous

Original Researcher

ISMAILSHADOW

Verified

No

WPVDB ID

5886d472-d59e-40db-9862-b294fc2e80d5

Timeline

Publicly Published

2025-11-26 (about 7 months ago)

Added

2025-11-26 (about 7 months ago)

Last Updated

2025-11-27 (about 7 months ago)

Other

Published

Title

Published

2021-07-01

Title

PWA for WP & AMP < 1.7.33 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-04-22

Title

Newsletters < 4.9.6 - Authenticated (Admin+) Arbitrary File Upload

Published

2024-10-21

Title

Verbalize WP <= 1.0 - Unauthenticated Arbitrary File Upload

Published

2025-10-15

Title

Blogmatic < 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

WP Property <= 1.35.0 - Arbitrary File Upload