PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1382 freshlabs CVE debrief

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This could lead to unauthorized actions on the affected systems, data breaches, or other malicious activities. The CVSS score for this vulnerability is 6.4, indicating a medium severity level. Organizations using the fresh Podcaster plugin should prioritize updating to a version beyond 1.0.7 and restrict contributor-level access to trusted users only.

Vendor
freshlabs
Product
fresh Podcaster
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability affects users of the fresh Podcaster plugin for WordPress, particularly those with contributor-level access or higher. IT administrators, security teams, and users with elevated access privileges should be aware of this vulnerability and take necessary precautions to mitigate the risk. This includes verifying the plugin version, restricting access controls, and monitoring for suspicious activity.

Technical summary

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4, indicating a medium severity level. Technical teams should focus on updating the plugin to a secure version, restricting access controls, and implementing additional security measures such as a WAF.

Defensive priority

Medium priority due to CVSS score of 6.4 and potential for authenticated attackers to inject malicious scripts. Organizations should prioritize updating the plugin and restricting access controls to mitigate the risk.

Recommended defensive actions

  • Inventory and verify the fresh Podcaster plugin version, ensuring it is beyond 1.0.7 if possible.
  • Restrict contributor-level access and above to trusted users only.
  • Implement a Web Application Firewall (WAF) to detect and prevent common XSS attacks.
  • Regularly monitor for and apply security updates to the fresh Podcaster plugin.
  • Educate users on secure practices, especially those with contributor-level access.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

Evidence is based on the CVE record and NVD detail provided. The CVE record was published on 2026-07-11T07:16:46.307Z and has not been modified since then. The NVD entry is currently 6.4 (Medium). The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability could potentially allow attackers to inject malicious scripts, which could lead to unauthorized actions on the affected systems. Defenders should verify the version of the fresh Podcaster plugin in use, review user access controls, and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.307Z and has not been modified since then. The NVD entry is currently 6.4 (Medium).