PowerPress Podcasting plugin by Blubrry < 11.12.6 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-46264 | Plugin Vulnerabilities

Description

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 11.12.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 11.12.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dd776106-2ec6-4813-946c-36e62a32d7df

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

a316b4c0-544a-4fbc-9790-76851880bb65

Timeline

Publicly Published

2025-04-23 (about 1 year ago)

Added

2025-05-01 (about 1 year ago)

Last Updated

2025-05-01 (about 1 year ago)

Other

Published

Title

Published

2024-01-09

Title

Customer Reviews for WooCommerce < 5.38.10 - Author+ Arbitrary File Upload

Published

2022-11-21

Title

Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload

Published

2024-12-13

Title

Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files

Published

2014-12-08

Title

Gravity Forms <= 1.8.19 - Arbitrary File Upload

Published

2022-06-02

Title

HTML2WP <= 1.0.0 - Unauthenticated Arbitrary File Upload