Introduction
Attackers can gain remote code execution on WordPress sites running Podlove Podcast Publisher simply by uploading a malicious file. This vulnerability affects all plugin versions up to and including 4.2.6, exposing thousands of podcasting sites to full compromise with no authentication required.
Podlove Podcast Publisher is a specialized WordPress plugin used by approximately 4000 active sites to manage and distribute podcast content. It is a key tool in the podcasting ecosystem, providing advanced publishing, analytics, and media management features for content creators and organizations.
Technical Information
CVE-2025-10147 is a critical vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is missing file type validation in the move_as_original_file function of the Podlove Podcast Publisher plugin. This function is responsible for handling file uploads, including images and media files associated with podcast episodes.
The affected code path does not restrict or validate the type of file being uploaded. As a result, an unauthenticated attacker can send a crafted HTTP request to the plugin's upload endpoint, supplying a file with any extension or content type. The plugin will accept and store the file on the server, making it accessible via the web. If the uploaded file is a PHP script or other executable, the attacker can then trigger code execution by accessing the file directly.
Public code references confirm the absence of file type checks in the vulnerable function:
No official patch or detection methods are available in public advisories as of the publication date.
Affected Systems and Versions
- Product: Podlove Podcast Publisher WordPress plugin
- Affected versions: All versions up to and including 4.2.6
- Vulnerable configuration: Any WordPress installation with the affected plugin enabled
Vendor Security History
Podlove Podcast Publisher has a documented history of security issues, with at least 19 vulnerabilities recorded in public databases. Recent issues include:
- Stored XSS via Feed Name (CVE-2025-0554, fixed in 4.2.0)
- Open redirect vulnerability (fixed in 4.2.6)
- Multiple XSS vulnerabilities in podcast summaries and unused code (fixed in 4.2.1 and 4.2.3)
The vendor typically releases patches in response to reported vulnerabilities, but the frequency of critical issues indicates persistent challenges with secure development and review processes.