PowerPress Podcasting < 11.9.18 – Author+ XSS via Podcast URL | CVE 2024-9230 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings when adding a podcast, which could allow author and above users to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. As an author, add a new post
2. For the podcast URL, add the payload `https://cnn.com"><img src=x onerror=alert(5)>`
3. Save the post and view the post.
4. Mouseover the player to see the XSS

Affects Plugins

Fixed in 11.9.18

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

ab5eaf57-fb61-4a08-b439-42dea40b7914

Timeline

Publicly Published

2025-03-24 (about 9 months ago)

Added

2025-03-24 (about 9 months ago)

Last Updated

2025-03-24 (about 9 months ago)

Other

Published

Title

Published

2025-05-19

Title

Ultimate Blocks < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-21

Title

Js paper <= 2.5.7 - Reflected Cross-Site Scripting

Published

2024-04-24

Title

Base64 Encoder/Decoder <= 0.9.2 - Stored XSS via CSRF

Published

2023-11-07

Title

Atarim < 3.13 - Unauthenticated Stored XSS

Published

2025-08-03

Title

JetWooBuilder <= 2.1.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting