Podlove Podcast Publisher < 4.2.7 – Unauthenticated Arbitrary File Upload | CVE 2025-10147 | Plugin Vulnerabilities

Description

The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

podlove-podcasting-plugin-for-wordpress

Fixed in 4.2.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/093058f1-c717-424f-9bd5-4838df8d20a1

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

a8b0e771-dd6b-4421-9554-97bf47a94670

Timeline

Publicly Published

2025-09-22 (about 9 months ago)

Added

2025-09-22 (about 9 months ago)

Last Updated

2025-09-23 (about 9 months ago)

Other

Published

Title

Published

2020-01-14

Title

Elementor < 2.7.5 - Authenticated Arbitrary File Upload

Published

2022-11-28

Title

SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload

Published

2025-03-07

Title

Product Input Fields for WooCommerce < 1.12.1 - Unauthenticated Limited File Upload

Published

2024-05-28

Title

WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.5.0 - Admin+ Arbitrary File Upload

Published

2024-03-25

Title

Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload