PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12098 blubrry CVE debrief

The PowerPress Podcasting plugin by Blubrry for WordPress has a Stored Cross-Site Scripting vulnerability via the 'embed' Episode Meta Field. This vulnerability affects all versions up to, and including, 11.16.8. The vulnerability allows authenticated attackers with author-level access and above to inject arbitrary web scripts. The scripts will execute when a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline. This means kses-on-save filtering is never applied, even for Author-role users who would otherwise lack unfiltered_html. As a result, this path is unprotected by WordPress's standard role-based XSS mitigations.

Vendor
blubrry
Product
PowerPress Podcasting plugin by Blubrry
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-18
Advisory published
2026-06-18
Advisory updated
2026-06-18

Who should care

Users of PowerPress Podcasting plugin by Blubrry for WordPress, particularly those with author-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites.

Technical summary

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8. This is due to insufficient input sanitization and output escaping. An authenticated attacker with author-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline, meaning kses-on-save filtering is never applied — even for Author-role users who would otherwise lack unfiltered_html — making this path unprotected by WordPress's standard role-based XSS mitigations.

Defensive priority

Apply updates to PowerPress Podcasting plugin by Blubrry to version 11.16.9 or later, and ensure that all users with author-level access and above have their roles and permissions reviewed.

Recommended defensive actions

  • Apply updates to PowerPress Podcasting plugin by Blubrry to version 11.16.9 or later
  • Review and limit user roles and permissions to prevent unauthorized access
  • Monitor for suspicious activity and implement additional security measures as needed
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-06-18T08:16:33.140Z and was last modified on 2026-06-18T15:23:56.087Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The PowerPress Podcasting plugin by Blubrry for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embed' Episode Meta Field. Authenticated attackers with author-level access and above can inject arbitrary web scripts. The vulnerability affects all versions up to, and including, 11.16.8.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T08:16:33.140Z and has not been modified since then. The NVD entry is currently Deferred.