PowerPress Podcasting < 11.9.18 – Author+ XSS | CVE 2024-9227 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

1. From a user with Author rights + create a post
2. Enter a URL in the Podcast Episode
3. There is a Transcription(optional) below the Media URL
4. In the Transcription(optional), select Add a transcript
5. Insert the payload: `http://123.123"onmouseover='alert(1)'`
6. Mouseover the link to see the XSS

Affects Plugins

Fixed in 11.9.18

References

CVE

URL

https://research.cleantalk.org/CVE-2024-9227/

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

bb6515b9-a316-4146-8b7d-9b70a47aa366

Timeline

Publicly Published

2024-08-29 (about 1 year ago)

Added

2025-03-02 (about 10 months ago)

Last Updated

2025-03-02 (about 10 months ago)

Other

Published

Title

Published

2024-11-01

Title

MyCurator Content Curation < 3.79 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2025-07-18

Title

OpenStreetMap for Gutenberg and WPBakery Page Builder <= 1.2.0 - Contributor+ Stored XSS

Published

2024-03-19

Title

Website Article Monetization By MageNet < 1.0.12 - Unauthenticated Stored XSS

Published

2023-10-20

Title

Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting

Published

2025-10-21

Title

ST Categories Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting