Introduction
Attackers with Contributor-level access can upload arbitrary files to WordPress sites using the Blubrry PowerPress plugin, potentially achieving remote code execution and full site compromise. This vulnerability affects a plugin with a large install base in the podcasting sector, impacting content creators and organizations relying on WordPress for podcast distribution.
Blubrry is a prominent podcast hosting and analytics provider. Its PowerPress plugin is one of the most widely used podcasting solutions for WordPress, powering hundreds of thousands of sites. The plugin's reach means vulnerabilities can have a broad impact across the podcasting and WordPress communities.
Technical Information
CVE-2025-13536 is a high-severity vulnerability (CVSS 8.8) in the Blubrry PowerPress Podcasting plugin for WordPress, affecting all versions up to and including 11.15.2. The vulnerability is present in the 'powerpress_edit_post' function. The plugin attempts to validate file extensions during file uploads, but if validation fails, the upload process is not stopped. This logic flaw enables authenticated users with Contributor-level access or higher to upload files with dangerous extensions, such as PHP, to the server.
The uploaded files may be stored in web-accessible directories (for example, wp-content/uploads), allowing attackers to access and execute them via HTTP requests. This can result in remote code execution, site takeover, and further compromise of the underlying server.
The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. Code references for the vulnerable logic are found in powerpressadmin.php at lines 2368, 3012, and 3068 in version 11.14.1:
Attackers exploit this by uploading executable files through the plugin's admin interface, bypassing intended file type restrictions. The vulnerability does not require complex techniques or privilege escalation beyond Contributor-level access.
Detection Methods
Detecting vulnerabilities in WordPress plugins, such as the PowerPress Podcasting plugin, involves a combination of proactive monitoring and analysis. While specific detection methods for this plugin's vulnerabilities are not detailed in the provided sources, general strategies can be employed to identify potential issues:
1. Regular Security Scanning: Utilize security tools to perform regular scans of your WordPress site. These tools can identify known vulnerabilities in plugins and themes by comparing installed versions against databases of reported issues.
2. Monitoring for Unusual Activity: Keep an eye on your website's logs for unexpected behaviors, such as unauthorized changes to content, new administrative accounts, or unusual login attempts. These can be indicators of exploitation attempts.
3. Staying Informed on Vulnerability Disclosures: Subscribe to security advisories and vulnerability databases to receive timely information about newly discovered vulnerabilities in WordPress plugins, including PowerPress. This enables prompt action to mitigate risks.
4. Implementing Web Application Firewalls (WAFs): Deploy WAFs to filter and monitor HTTP traffic between a web application and the Internet. WAFs can help detect and block malicious requests attempting to exploit known vulnerabilities.
By integrating these practices into your website maintenance routine, you can enhance the detection and prevention of potential security issues associated with WordPress plugins.
Affected Systems and Versions
- Product: Blubrry PowerPress Podcasting plugin for WordPress
- Affected versions: All versions up to and including 11.15.2
- Vulnerable configuration: Any WordPress installation with PowerPress plugin version 11.15.2 or earlier, where users with Contributor-level access or higher can upload files
Vendor Security History
Blubrry PowerPress has a history of security vulnerabilities, including stored XSS, CSRF, and SSRF issues. Previous vulnerabilities include:
- CVE-2025-64201 (CSRF, up to 11.13.12)
- CVE-2025-32691 (SSRF, up to 11.12.6) The vendor typically releases patches quickly after disclosure, as seen with the release of version 11.15.3 shortly after CVE-2025-13536 was reported. However, the frequency of issues suggests ongoing challenges in secure development practices.
