CVE-2024-1109

The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WordfenceCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
podlovepodlove_podcast_publisher
𝑥
≤ 4.0.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/podlove/podlove-publisher/commit/0ac83d1955aa964a358833b1b5ce790fff45b3f4
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032008%40podlove-podcasting-plugin-for-wordpress&new=3032008%40podlove-podcasting-plugin-for-wordpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635?source=cve
https://github.com/podlove/podlove-publisher/commit/0ac83d1955aa964a358833b1b5ce790fff45b3f4
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032008%40podlove-podcasting-plugin-for-wordpress&new=3032008%40podlove-podcasting-plugin-for-wordpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635?source=cve