Does Podlove Podcast Publisher have any unpatched vulnerabilities?

No. All known vulnerabilities in Podlove Podcast Publisher have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Podlove Podcast Publisher compatible with WordPress 6.9.4?

According to WordPress.org data, Podlove Podcast Publisher 4.3.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Podlove Podcast Publisher compatible with PHP 8.0+?

Podlove Podcast Publisher requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Podlove Podcast Publisher updated?

Podlove Podcast Publisher was last updated on Mar 7, 2026. Frequent updates are generally a positive security signal.

What is Podlove Podcast Publisher's security score?

Podlove Podcast Publisher has a WP-Safety security score of 81/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Podlove Podcast Publisher Security & Risk Analysis

wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress

The one and only next generation podcast publishing system. Seriously. It's magical and sparkles a lot.

3K active installs v4.3.5 PHP 8.0+ WP 4.9.6+ Updated Mar 7, 2026

audiopodcastpodlovepublishingrss

B · Generally Safe

CVEs total22

Unpatched0

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Podlove Podcast Publisher Safe to Use in 2026?

Mostly Safe

Score 81/100

Podlove Podcast Publisher is generally safe to use. 22 past CVEs were resolved. Keep it updated.

22 known CVEsLast CVE: Sep 22, 2025Updated 27d ago

Risk Assessment

The Podlove Podcasting Plugin for WordPress, version 4.3.5, presents a mixed security posture. While the code signals show a reasonable number of capability checks and a low percentage of SQL queries using prepared statements, there are significant areas of concern. The presence of 5 unprotected entry points, including AJAX handlers and REST API routes, opens the door for unauthorized actions. Furthermore, the taint analysis indicates a concerning lack of sanitization in critical areas, with 2 flows identified as having unsanitized paths, even though they are not currently rated as critical or high severity. This suggests a potential for injection vulnerabilities if malicious input is provided.

The vulnerability history for this plugin is a major red flag. With 22 known CVEs, including a substantial number of critical and high-severity vulnerabilities in the past, it indicates a pattern of recurring security weaknesses. Common vulnerability types such as Unrestricted Upload, Open Redirect, CSRF, XSS, Code Injection, SSRF, and SQL Injection have been prevalent. While there are currently no unpatched CVEs, the historical trend suggests a need for vigilance and frequent updates. The plugin's strengths lie in its use of bundled jQuery and a moderate percentage of prepared SQL statements. However, these are overshadowed by the significant attack surface without proper authentication and the concerning vulnerability history.

Key Concerns

Unprotected AJAX handlers and REST API routes
Flows with unsanitized paths in taint analysis
High number of past critical/high severity CVEs
Low percentage of properly escaped output
Limited nonce checks on entry points

Vulnerabilities

Podlove Podcast Publisher Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

1 CVE in 2017

2017

1 CVE in 2021

2021

2 CVEs in 2023

2023

10 CVEs in 2024

2024

6 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

22 total CVEs

CVE-2025-10147critical · 9.8Unrestricted Upload of File with Dangerous Type

Podlove Podcast Publisher <= 4.2.6 - Unauthenticated Arbitrary File Upload

Sep 22, 2025 Patched in 4.2.7 (1d)

CVE-2025-58204medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Podlove Podcast Publisher <= 4.2.5 - Open Redirect

Aug 27, 2025 Patched in 4.2.6 (8d)

CVE-2025-1383medium · 4.3Cross-Site Request Forgery (CSRF)

Podlove Podcast Publisher <= 4.2.2 - Cross-Site Request Forgery via ajax_transcript_delete Function

Mar 5, 2025 Patched in 4.2.3 (1d)

CVE-2024-13730medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 4.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 4.2.1 (82d)

CVE-2024-13729medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 4.1.23 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 4.1.24 (82d)

CVE-2025-0554medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 4.1.25 - Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name

Jan 17, 2025 Patched in 4.2.0 (1d)

CVE-2024-52393high · 7.2Improper Control of Generation of Code ('Code Injection')

Podlove Podcast Publisher <= 4.1.15 - Authenticated (Admin+) Remote Code Execution

Nov 11, 2024 Patched in 4.1.17 (11d)

CVE-2024-43984high · 8.8Cross-Site Request Forgery (CSRF)

Podlove Podcast Publisher <= 4.1.13 - Cross-Site Request Forgery to Remote Code Execution

Aug 28, 2024 Patched in 4.1.14 (8d)

CVE-2024-43983medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 4.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 28, 2024 Patched in 4.1.14 (8d)

CVE-2024-32812medium · 4.3Server-Side Request Forgery (SSRF)

Podlove Podcast Publisher <= 4.0.11 - Authenticated (Contributor+) Server-Side Request Forgery

Apr 22, 2024 Patched in 4.0.12 (9d)

CVE-2024-32712medium · 4.3Missing Authorization

Podlove Podcast Publisher <= 4.0.14 - Cross-Site Request Forgery

Apr 22, 2024 Patched in 4.0.15 (9d)

CVE-2024-32139critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Podlove Podcast Publisher <= 4.0.12 - Authenticated (Contributor+) SQL Injection

Apr 12, 2024 Patched in 4.0.14 (6d)

CVE-2024-32143medium · 4.3Missing Authorization

Podlove Podcast Publisher <= 4.1.0 - Missing Authorization

Apr 12, 2024 Patched in 4.1.1 (6d)

CVE-2024-29915medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 4.0.9 - Reflected Cross-Site Scripting

Mar 25, 2024 Patched in 4.0.10 (8d)

CVE-2024-1110medium · 5.3Missing Authorization

Podlove Podcast Publisher <= 4.0.11 - Missing Authorization to Settings Import

Feb 6, 2024 Patched in 4.0.12 (1d)

CVE-2024-1109medium · 5.3Missing Authorization

Podlove Podcast Publisher <= 4.0.11 - Missing Authorization to Unauthenticated Data Export

Feb 6, 2024 Patched in 4.0.12 (1d)

CVE-2023-25472medium · 4.3Cross-Site Request Forgery (CSRF)

Podlove Podcast Publisher <= 3.8.3 - Cross-Site Request Forgery

Feb 10, 2023 Patched in 3.8.4 (347d)

CVE-2023-25046medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Podlove Podcast Publisher <= 3.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 3, 2023 Patched in 3.8.3 (354d)

CVE-2021-24666critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Podlove Podcast Publisher <= 3.5.5 - Unauthenticated SQL Injection

Aug 24, 2021 Patched in 3.5.6 (882d)

CVE-2017-12949high · 8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Podlove Podcast Publisher <= 2.5.3 - Authenticated SQL Injection

Aug 7, 2017 Patched in 2.6.0 (2360d)

CVE-2016-10942high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Podlove Podcast Publisher < 2.3.16 - SQL Injection

Dec 14, 2016 Patched in 2.3.16 (2596d)

CVE-2016-10941high · 8.8Cross-Site Request Forgery (CSRF)

Podlove Podcast Publisher < 2.3.16 - Cross-Site Request Forgery to Cross-Site Scripting

Sep 16, 2016 Patched in 2.3.16 (2685d)

Code Analysis

Analyzed Mar 16, 2026

Podlove Podcast Publisher Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

19 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery

SQL Query Safety

72% prepared18 total queries

Output Escaping

18% escaped108 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

podlove_rehash_process_actions (includes\request_id_rehash.php:25)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

Podlove Podcast Publisher Attack Surface

Entry Points11

Unprotected5

AJAX Handlers 1

authwp_ajax_podlove-hide-donation-bannerincludes\donation_banner.php:4

REST API Routes 10

GET/wp-json/podlove/v1analytics/episodesincludes\api\analytics.php:18

GET/wp-json/podlove/v1analytics/episodes/(?P<id>[\d]+)includes\api\analytics.php:24

GET/wp-json/podlove/v1analytics/episodes/(?P<ids>[\d]+,[\d,]+)includes\api\analytics.php:30

GET/wp-json/podlove/v2analytics/episodesincludes\api\analytics.php:37

GET/wp-json/podlove/v2analytics/episodes/(?P<id>[\d]+)includes\api\analytics.php:43

GET/wp-json/podlove/v2analytics/episodes/(?P<ids>[\d]+,[\d,]+)includes\api\analytics.php:49

GET/wp-json/podlove/v1episodesincludes\api\episodes.php:16

GET/wp-json/podlove/v1episodes/(?P<id>[\d]+)includes\api\episodes.php:22

GET/wp-json/podlove/v1episodes/(?P<id>[\d]+)includes\api\episodes.php:28

GET/wp-json/podlove/v1showincludes\api\show.php:12

WordPress Hooks 125

actionadmin_initincludes\about.php:3

actionadmin_initincludes\about.php:4

actionadmin_noticesincludes\about.php:54

filterpodlove_dashboard_pageincludes\about.php:58

actionrest_api_initincludes\api\admin\onboarding.php:7

actionrest_api_initincludes\api\admin\plus.php:9

actionrest_api_initincludes\api\analytics.php:5

actionrest_api_initincludes\api\chapters.php:13

actionrest_api_initincludes\api\episodes.php:12

actionrest_api_initincludes\api\episodes.php:152

actionrest_api_initincludes\api\feeds.php:7

actionrest_api_initincludes\api\podcast.php:9

actionrest_api_initincludes\api\show.php:7

actionrest_api_initincludes\api\tools.php:5

filterthe_titleincludes\auto_post_titles.php:6

filterpodlove_get_episode_titleincludes\auto_post_titles.php:7

filterpodlove_get_episode_title_rssincludes\auto_post_titles.php:8

actionadmin_print_scriptsincludes\auto_post_titles.php:9

actionpodlove_media_file_content_has_changedincludes\cache.php:6

actionpodlove_episode_content_has_changedincludes\cache.php:15

actionwpincludes\chapters.php:9

filterpre_update_option_podlove_asset_assignmentincludes\chapters.php:51

filterpodlove_episode_form_dataincludes\chapters.php:85

actionpodlove_append_to_feed_entryincludes\chapters.php:109

actionupgrader_process_completeincludes\compatibility.php:37

actionpodlove_flush_rewrite_rulesincludes\compatibility.php:38

actionadmin_noticesincludes\db_migration.php:24

actionadmin_noticesincludes\deprecations.php:2

actionadmin_head-post.phpincludes\detect_duplicate_slugs.php:4

actionadmin_noticesincludes\detect_duplicate_slugs.php:50

actionadmin_noticesincludes\donation_banner.php:3

actionwpincludes\downloads.php:6

actionpodlove_download_fileincludes\downloads.php:7

actioninitincludes\downloads.php:221

filterquery_varsincludes\downloads.php:239

filterredirect_canonicalincludes\downloads.php:248

filtermanage_edit-podcast_columnsincludes\episode_number_column.php:3

actionmanage_podcast_posts_custom_columnincludes\episode_number_column.php:4

actionquick_edit_custom_boxincludes\episode_number_quick_edit_form.php:3

actionsave_postincludes\episode_number_quick_edit_form.php:4

actionadmin_footerincludes\episode_number_quick_edit_form.php:5

filterpost_row_actionsincludes\episode_number_quick_edit_form.php:6

filterpodlove_episode_form_dataincludes\explicit_content.php:3

actionadmin_initincludes\extras.php:19

actioninitincludes\extras.php:26

actionplugins_loadedincludes\extras.php:32

filterfeed_linkincludes\extras.php:34

filterpodlove_subscribe_urlincludes\extras.php:35

filterpre_update_option_podlove_asset_assignmentincludes\extras.php:43

actioninitincludes\feed_discovery.php:38

actionwp_headincludes\feed_discovery.php:40

actioninitincludes\frontend_styles.php:5

actionwpincludes\images.php:9

actionpodlove_validate_image_cacheincludes\images.php:15

actionpodlove_refetch_cached_imageincludes\images.php:16

actioninitincludes\images.php:54

filterquery_varsincludes\images.php:62

actionwpincludes\images.php:72

actionadded_post_metaincludes\import.php:7

filterwp_import_post_metaincludes\import.php:25

actioninitincludes\jetpack.php:4

actiontemplate_redirectincludes\jetpack.php:12

filterpodlove_episode_form_dataincludes\license.php:5

actionpre_get_postsincludes\merge_episodes.php:7

filterrequestincludes\merge_episodes.php:21

actionplugins_loadedincludes\modules.php:10

actionadmin_noticesincludes\modules.php:23

filterpre_update_option_podlove_active_modulesincludes\modules.php:40

actionupdate_option_podlove_active_modulesincludes\modules.php:51

actionadded_post_metaincludes\no_enclosure_autodiscovery.php:32

actionadded_postmetaincludes\no_enclosure_autodiscovery.php:34

actionafter_setup_themeincludes\permalinks.php:4

actionpermalink_structure_changedincludes\permalinks.php:5

actionwpincludes\permalinks.php:6

filterpost_type_linkincludes\permalinks.php:7

filterpost_rewrite_rulesincludes\permalinks.php:8

filterrequestincludes\permalinks.php:11

filterpodlove_web_player_shortcode_episode_attributesincludes\podlove-web-player-5.php:13

actionadmin_headincludes\podlove_data_js_adapter.php:13

filterpodlove_data_jsincludes\podlove_data_js_adapter.php:15

actioninitincludes\podlove_data_js_adapter.php:44

filterpodlove_episode_form_dataincludes\recording_date.php:3

filterpodlove_episode_data_filterincludes\recording_date.php:22

filtertemplate_redirectincludes\redirects.php:3

filtertemplate_redirectincludes\redirects.php:4

actionadmin_initincludes\request_id_rehash.php:3

actionadmin_initincludes\request_id_rehash.php:4

actionadmin_noticesincludes\require_curl.php:2

filterset-screen-optionincludes\screen_options.php:8

actionadmin_menuincludes\screen_options.php:16

actionadmin_enqueue_scriptsincludes\scripts_and_styles.php:15

filterscript_loader_tagincludes\scripts_and_styles.php:34

filterpodlove_data_jsincludes\scripts_and_styles.php:64

filterposts_searchincludes\search.php:31

filterposts_joinincludes\search.php:72

actionwp_loadedincludes\setup_wizard.php:8

actionadmin_initincludes\setup_wizard.php:9

actionupdate_option_permalink_structureincludes\system_report.php:12

actionupdate_option_podloveincludes\system_report.php:13

filterthe_contentincludes\templates.php:6

actionwp_headincludes\templates.php:7

actionwp_footerincludes\templates.php:8

actionwp_body_openincludes\templates.php:9

actiontemplate_redirectincludes\template_pages.php:7

filterposts_resultsincludes\trash.php:3

actionadmin_noticesincludes\verify_itunes_category.php:2

actionpodlove_fire_webhookincludes\webhooks.php:24

actionpodlove_episode_content_has_changedincludes\webhooks.php:43

filterrocket_minify_excluded_external_jsincludes\wp_rocket.php:18

actionwpmu_new_blogplugin.php:8

actiondelete_blogplugin.php:9

actioninitplugin.php:190

actioninitplugin.php:191

actioninitplugin.php:192

actioninitplugin.php:193

actioninitplugin.php:194

actioninitplugin.php:195

actioninitplugin.php:196

actioninitplugin.php:197

actionadmin_initplugin.php:199

actionadmin_initplugin.php:200

actioninitplugin.php:203

actionadmin_initpodlove.php:68

actionadmin_noticespodlove.php:78

actionadmin_noticespodlove.php:85

Scheduled Events 4

podlove_flush_rewrite_rules

podlove_validate_image_cache

podlove_refetch_cached_image

podlove_fire_webhook

Maintenance & Trust

Podlove Podcast Publisher Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 7, 2026

PHP min version8.0

Downloads556K

Community Trust

Rating88/100

Number of ratings44

Active installs3K

Alternatives

Podlove Podcast Publisher Alternatives

PowerPress Podcasting plugin by Blubrry

powerpress

No. 1 Podcasting plugin for WordPress.

30K 19 CVEs

Podcast Player – Your Podcasting Companion

podcast-player

100

Showcase your podcast only using podcasting feed url. Use widget, shortcode or editor block to display podcast player anywhere on your site.

10K No CVEs

Disco Free by Headliner

headliner-disco-free

This plugin installs and configures the Disco Free podcast recommendation widget which is built to help turn your readers into listeners.

30 No CVEs

Podcast Searcher by Clarify

podcast-searcher-by-clarify

The Clarify plugin allows you to make any audio or video embedded in your posts, pages, etc searchable via the standard WordPress search box.

10 No CVEs

Podcastify

podcastify

100

Podcastify helps to host and display Series and Episode on WordPress. And further it generates the feed url to show Podcasts on Popular Podcasting pla …

10 No CVEs

Developer Profile

Podlove Podcast Publisher Developer Profile

Eric Teubert

2 plugins · 3K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

430 days

View full developer profile

Detection Fingerprints

How We Detect Podlove Podcast Publisher

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/css/about.css/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/images/about/network.png/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-vue-app.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-vue-app.css/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-modal.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-modal.css/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/jquery.form.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/vue-multiselect.min.js+4 more

Script Paths

/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-vue-app.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/podlove-modal.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/jquery.form.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/vue-multiselect.min.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/chart.min.js/wp-content/plugins/podlove-podcasting-plugin-for-wordpress/js/sweetalert2.all.min.js

Version Parameters

podlove-podcasting-plugin-for-wordpress/css/about.css?ver=podlove-podcasting-plugin-for-wordpress/js/podlove-vue-app.js?ver=podlove-podcasting-plugin-for-wordpress/js/podlove-vue-app.css?ver=podlove-podcasting-plugin-for-wordpress/js/podlove-modal.js?ver=podlove-podcasting-plugin-for-wordpress/js/podlove-modal.css?ver=podlove-podcasting-plugin-for-wordpress/js/jquery.form.js?ver=podlove-podcasting-plugin-for-wordpress/js/vue-multiselect.min.js?ver=podlove-podcasting-plugin-for-wordpress/js/vue-multiselect.min.css?ver=podlove-podcasting-plugin-for-wordpress/js/chart.min.js?ver=podlove-podcasting-plugin-for-wordpress/js/sweetalert2.all.min.js?ver=podlove-podcasting-plugin-for-wordpress/js/sweetalert2.min.css?ver=

HTML / DOM Fingerprints

CSS Classes

podlove-about-wrappodlove-badgepodlove-dashboard-page

HTML Comments

+14 more

Data Attributes

data-v-appdata-v-509571b8data-v-a0976892data-v-42e8d86bdata-v-5608c3c5

JS Globals

PodloveVueApppodlove_vue_app_configpodlove_settings

REST Endpoints

/wp-json/podlove/v1/configuration/wp-json/podlove/v1/feeds/wp-json/podlove/v1/files/wp-json/podlove/v1/modules/wp-json/podlove/v1/shows/wp-json/podlove/v1/settings

Shortcode Output

[podlove-template[podlove-episode-title][podlove-episode-subtitle][podlove-episode-summary]

FAQ