Podlove Podcast Publisher < 4.2.3 – Cross-Site Request Forgery via ajax_transcript_delete Function | CVE 2025-1383 | Plugin Vulnerabilities

Description

The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

podlove-podcasting-plugin-for-wordpress

Fixed in 4.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27f

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Abbas Mamoun

Verified

No

WPVDB ID

6360f198-5a45-40fe-951f-0e4f0e055722

Timeline

Publicly Published

2025-03-05 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-11 (about 1 year ago)

Other

Published

Title

Published

2021-02-08

Title

NextGen Gallery < 3.5.0 - CSRF allows File Upload

Published

2025-04-09

Title

FrescoChat Live Chat <= 3.2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-05-16

Title

LiveSync for WordPress <= 1.0 - Arbitrary Settings Update via CSRF

Published

2015-05-05

Title

WP Ultimate CSV Importer < 3.7.3 - Various CSRF

Published

2023-06-26

Title

POST SMTP Mailer < 2.5.7 - Arbitrary Log Deletion via CSRF