Stored Cross-Site Scripting Vulnerability in Blubrry PowerPress Podcasting Plugin for WordPress
CVE-2026-12098

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Powerpress Podcasting Plugin By Blubrry
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-12098?

The PowerPress Podcasting plugin by Blubrry for WordPress is vulnerable to stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping in the 'embed' Episode Meta Field. This vulnerability exists in all versions up to and including 11.16.8. Authenticated attackers with author-level access can inject arbitrary web scripts that execute whenever a user visits an impacted page. The vulnerability is exacerbated by the fact that the embed value is saved via update_post_meta(), bypassing WordPress’s built-in filtering mechanisms. This allows even those users who would typically lack unfiltered_html capabilities to exploit this weakness, thus exposing WordPress sites to potential unauthorized script execution.

Affected Version(s)

PowerPress Podcasting plugin by Blubrry 0 <= 11.16.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/powerpress/tag...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Mukhlis Amien

CVE-2026-12098 Data

JSON