WP-Safety

PowerPress Podcasting plugin by Blubrry Security & Risk Analysis

wordpress.org/plugins/powerpress

No. 1 Podcasting plugin for WordPress.

30K active installs v11.15.17 PHP 5.2+ WP 3.6+ Updated Mar 5, 2026
apple-podcastspodcastpodcast-publishingpodcast-rss-feedspotify
88
A · Safe
CVEs total19
Unpatched0
Last CVEFeb 25, 2026
Plugin page Download
Safety Verdict

Is PowerPress Podcasting plugin by Blubrry Safe to Use in 2026?

Generally Safe

Score 88/100

PowerPress Podcasting plugin by Blubrry has a strong security track record. Known vulnerabilities have been patched promptly.

19 known CVEsLast CVE: Feb 25, 2026Updated 29d ago
Risk Assessment

The PowerPress plugin exhibits a mixed security posture. While the static analysis indicates a significant effort towards securing entry points with no unprotected AJAX handlers or REST API routes, and a strong presence of nonce and capability checks, there are underlying concerns. The high number of dangerous functions, specifically `unserialize`, coupled with a substantial percentage of flows with unsanitized paths, including one high-severity taint flow, presents a notable risk. This suggests potential vulnerabilities where deserialization of untrusted input could lead to code execution or other harmful actions if not handled meticulously by the application logic consuming these flows.

The plugin's vulnerability history is a significant concern, with a large number of known CVEs (19 in total) across several high-impact categories including deserialization, CSRF, SSRF, unrestricted uploads, and XSS. Although there are currently no unpatched vulnerabilities, the sheer volume and types of past issues indicate a recurring pattern of complex security flaws. The last reported vulnerability in early 2026 suggests the possibility of recent, though now patched, issues, reinforcing the need for continued vigilance. While the current version shows some good security practices in its entry point protection, the historical trend and specific code signals like `unserialize` usage warrant caution and ongoing monitoring.

Key Concerns

  • High number of dangerous functions (unserialize)
  • High percentage of unsanitized paths in taint analysis
  • One high severity taint flow
  • Large historical vulnerability count (19 CVEs)
  • Common vulnerability types: Deserialization, CSRF, SSRF, XSS
  • Low percentage of properly escaped output
Vulnerabilities
19

PowerPress Podcasting plugin by Blubrry Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
1 CVE in 2020
2020
5 CVEs in 2023
2023
2 CVEs in 2024
2024
8 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
15

19 total CVEs

CVE-2026-23798high · 7.5Deserialization of Untrusted Data

PowerPress Podcasting plugin by Blubrry <= 11.15.10 - Authenticated (Contributor+) PHP Object Injection

Feb 25, 2026 Patched in 11.15.11 (9d)
CVE-2025-13536high · 8.8Unrestricted Upload of File with Dangerous Type

Blubrry PowerPress <= 11.15.2 - Authenticated (Contributor+) Arbitrary File Upload via 'powerpress_edit_post'

Nov 26, 2025 Patched in 11.15.3 (1d)
CVE-2025-64201medium · 4.3Cross-Site Request Forgery (CSRF)

PowerPress Podcasting <= 11.13.12 - Cross-Site Request Forgery

Oct 21, 2025 Patched in 11.14 (15d)
CVE-2025-49984medium · 6.4Server-Side Request Forgery (SSRF)

PowerPress Podcasting <= 11.13.11 - Authenticated (Contributor+) Server-Side Request Forgery

Jun 19, 2025 Patched in 11.13.12 (125d)
CVE-2025-46264high · 8.8Unrestricted Upload of File with Dangerous Type

PowerPress Podcasting plugin by Blubrry <= 11.12.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 23, 2025 Patched in 11.12.6 (9d)
CVE-2025-32690medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress Podcasting <= 11.12.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 9, 2025 Patched in 11.12.6 (27d)
CVE-2025-32691medium · 5.4Server-Side Request Forgery (SSRF)

PowerPress Podcasting <= 11.12.6 - Authenticated (Contributor+) Server-Side Request Forgery

Apr 9, 2025 Patched in 11.12.7 (22d)
CVE-2024-9230medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress Podcasting <= 11.9.17 - Authenticated (Author+) Stored Cross-Site Scripting

Mar 24, 2025 Patched in 11.9.18 (29d)
CVE-2024-9227medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress Podcasting <= 11.9.17 - Authenticated (Author+) Stored Cross-Site Scripting

Mar 2, 2025 Patched in 11.9.18 (90d)
CVE-2024-9543medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Powerpress <= 11.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via skipto Shortcode

Oct 10, 2024 Patched in 11.9.19 (1d)
CVE-2024-6588medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress Podcasting plugin by Blubrry <= 11.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via media_url Parameter

Jul 11, 2024 Patched in 11.9.11 (1d)
CVE-2023-4820medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 11.0.11 - Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

Sep 13, 2023 Patched in 11.0.12 (132d)
CVE-2023-41239medium · 5.4Server-Side Request Forgery (SSRF)

PowerPress <= 11.0.6 - Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info

Aug 29, 2023 Patched in 11.0.7 (147d)
WF-64371d43-3acd-4863-80e4-deab071777b9-powerpressmedium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 10.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Feed[title]'

Jun 6, 2023 Patched in 10.2.4 (231d)
CVE-2023-30778medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 10.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 17, 2023 Patched in 10.0.2 (281d)
CVE-2023-1917medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 11, 2023 Patched in 10.0.2 (287d)
CVE-2021-24123high · 7.2Unrestricted Upload of File with Dangerous Type

PowerPress <= 8.3.7 - Arbitrary File Upload

Oct 11, 2020 Patched in 8.3.8 (1199d)
CVE-2015-9410medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 6.0.4 - Reflected Cross-Site Scripting

Sep 14, 2015 Patched in 6.0.5 (3053d)
CVE-2015-1385medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerPress <= 6.0.0 - Cross-Site Scripting

Jan 29, 2015 Patched in 6.0.1 (3281d)
Code Analysis
Analyzed Mar 16, 2026

PowerPress Podcasting plugin by Blubrry Code Analysis

Dangerous Functions
15
Raw SQL Queries
15
29 prepared
Unescaped Output
3231
1939 escaped
Nonce Checks
44
Capability Checks
19
File Operations
124
External Requests
27
Bundled Libraries
0

Dangerous Functions Found

unserializeif( @unserialize($string, ['allowed_classes' => false]) )powerpress.php:5232
unserializeif ( false !== ( $gm = @unserialize( $meta, ['allowed_classes' => false] ) ) )powerpress.php:5281
unserialize$ExtraData = @unserialize($Serialized, ['allowed_classes' => false]);powerpress.php:5350
unserialize$podPressMedia = @unserialize($podPressMedia, ['allowed_classes' => false]);powerpress.php:5426
unserialize$podPressMedia = @unserialize($podPressMedia, ['allowed_classes' => false]);powerpress.php:5435
unserialize$ExtraData = @unserialize($EnclosureSerialized, ['allowed_classes' => false]);powerpressadmin-jquery.php:1318
unserialize$podpress_data = @unserialize($row['meta_value'], ['allowed_classes' => false]);powerpressadmin-podpress.php:82
unserialize$podpress_data = @unserialize($podpress_data_serialized, ['allowed_classes' => false]);powerpressadmin-podpress.php:86
unserialize$podpress_data_two = @unserialize($podpress_data, ['allowed_classes' => false]);powerpressadmin-podpress.php:89
unserialize$podpress_data_two = @unserialize($podpress_data_serialized, ['allowed_classes' => false]);powerpressadmin-podpress.php:93
unserialize$podpress_unserialized = @unserialize($podpress_data, ['allowed_classes' => false]);powerpressadmin-podpress.php:103
unserialize$podpress_unserialized = @unserialize($podpress_data_serialized, ['allowed_classes' => false]);powerpressadmin-podpress.php:107
unserialize$episode_data = (count($meta_parts) > 3) ? unserialize($meta_parts[3], ['allowed_classes' => false])powerpressadmin.php:5564
unserialize$postmeta_data = @unserialize($postmeta_parts[3], ['allowed_classes' => false]);powerpressadmin.php:5871
unserialize$ExtraData = @unserialize($EnclosureSerialized, ['allowed_classes' => false]);views\episode-box.php:131

SQL Query Safety

66% prepared44 total queries

Output Escaping

38% escaped5170 total outputs
Data Flows
30 unsanitized

Data Flow Analysis

25 flows30 with unsanitized paths
powerpress_metamarks_addrow (powerpress-metamarks.php:62)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

PowerPress Podcasting plugin by Blubrry Attack Surface

Entry Points15
Unprotected0

AJAX Handlers 5

authwp_ajax_powerpress_notice_dismisspowerpressadmin-notifications.php:50
authwp_ajax_powerpress_media_infopowerpressadmin.php:4421
authwp_ajax_powerpress_metamarks_addrowpowerpressadmin.php:4435
authwp_ajax_powerpress_dashboard_dismisspowerpressadmin.php:4449
authwp_ajax_powerpress_create_subscribe_pagepowerpressadmin.php:4541

Shortcodes 10

[skipto] powerpress-player.php:48
[display_podcast] powerpress-player.php:69
[powerpress] powerpress-player.php:303
[podcast] powerpress-player.php:306
[podcastlist] powerpress-playlist.php:553
[podcastplaylist] powerpress-playlist.php:554
[powerpressplaylist] powerpress-playlist.php:555
[powerpress_playlist] powerpress-playlist.php:556
[powerpresssubscribe] powerpress-subscribe.php:864
[powerpress_subscribe] powerpress-subscribe.php:865
WordPress Hooks 98
actionwp_headclass.powerpress-subscribe-widget.php:16
actionadmin_enqueue_scriptsclass.powerpress-subscribe-widget.php:19
actionwidgets_initclass.powerpress-subscribe-widget.php:294
actionadmin_menupowerpress-network.php:25
filterpowerpress_playerpowerpress-player.php:51
filterpowerpress_playerpowerpress-player.php:53
filterpowerpress_playerpowerpress-player.php:55
actionwp_powerpress_player_scriptspowerpress-player.php:317
filterpowerpress_playerpowerpress-player.php:892
filterpowerpress_playerpowerpress-player.php:893
filterpowerpress_playerpowerpress-player.php:894
filterpowerpress_player_linkspowerpress-player.php:1063
filterpowerpress_player_linkspowerpress-player.php:1064
filterpowerpress_player_linkspowerpress-player.php:1065
filterpowerpress_player_linkspowerpress-player.php:1066
filterpowerpress_joinpowerpress-playlist.php:144
filterpowerpress_wherepowerpress-playlist.php:151
actionwp_footerpowerpress-playlist.php:264
actionadmin_footerpowerpress-playlist.php:265
actionpowerpress_playlist_scriptspowerpress-playlist.php:267
actionadmin_noticespowerpress.php:129
actioninitpowerpress.php:134
filterget_the_excerptpowerpress.php:451
filterthe_contentpowerpress.php:452
filterthe_excerptpowerpress.php:454
actionwp_headpowerpress.php:561
actionwp_headpowerpress.php:568
filterexit_on_http_headpowerpress.php:592
actionpowerpress_check_for_chartable_hookpowerpress.php:717
actionpowerpress_sync_progad_hookpowerpress.php:1203
actionrss2_nspowerpress.php:1205
actionrss2_ns_powerpresspowerpress.php:1206
actionrss2_headpowerpress.php:1948
actionrss2_head_powerpresspowerpress.php:1949
filterrss2_itempowerpress.php:2747
filterrss2_item_powerpresspowerpress.php:2748
filterrss_enclosurepowerpress.php:2816
filterget_bloginfo_rsspowerpress.php:2921
filterget_wp_title_rsspowerpress.php:2990
filterthe_title_rsspowerpress.php:3031
filterfeed_content_typepowerpress.php:3069
filterwp_audio_shortcode_overridepowerpress.php:3084
filterwp_audio_extensionspowerpress.php:3091
filteroption_rss_languagepowerpress.php:3113
actiontemplate_redirectpowerpress.php:3200
filterrewrite_rules_arraypowerpress.php:3264
filterpre_transient_rewrite_rulespowerpress.php:3286
filterthe_contentpowerpress.php:3393
filterpowerpress_player_subscribe_linkspowerpress.php:3400
filterpowerpress_player_subscribe_linkspowerpress.php:3401
filterthe_guidpowerpress.php:3424
actioninitpowerpress.php:3471
actioninitpowerpress.php:3542
actionwp_print_stylespowerpress.php:3559
filterrequestpowerpress.php:3599
actionplugins_loadedpowerpress.php:3605
filterw3tc_can_print_commentpowerpress.php:3649
filterw3tc_minify_enablepowerpress.php:3654
filterposts_fieldspowerpress.php:3981
filterposts_joinpowerpress.php:4003
filterposts_wherepowerpress.php:4033
filterposts_groupbypowerpress.php:4053
filterpost_limitspowerpress.php:4068
actiondo_pingspowerpress.php:4082
filterpowerpress_premium_content_authorizedpowerpress.php:5628
filterpre_get_postspowerpress.php:6167
filtermanage_powerpressadmin_categoryfeeds_columnspowerpressadmin-categoryfeeds.php:14
filtermanage_powerpressadmin_customfeeds_columnspowerpressadmin-customfeeds.php:15
actionadmin_head-index.phppowerpressadmin-dashboard.php:321
actionwp_dashboard_setuppowerpressadmin-dashboard.php:322
actionmedia_upload_powerpress_imagepowerpressadmin-metabox.php:1608
filtermedia_upload_tabspowerpressadmin-metabox.php:1653
filterflash_uploaderpowerpressadmin-metabox.php:1719
actionpowerpress_admin_migration_hookpowerpressadmin-migrate.php:586
filtermanage_powerpressadmin_importmt_columnspowerpressadmin-mt.php:330
actionall_admin_noticespowerpressadmin-notifications.php:49
actionadmin_headpowerpressadmin-notifications.php:51
filtermanage_powerpressadmin_importpodpress_columnspowerpressadmin-podpress.php:330
filtermanage_powerpressadmin_posttypefeeds_columnspowerpressadmin-posttypefeeds.php:15
filtermanage_powerpressadmin_taxonomyfeeds_columnspowerpressadmin-taxonomyfeeds.php:15
actionwp_loadedpowerpressadmin.php:6
filterplugin_row_metapowerpressadmin.php:1737
actionadmin_initpowerpressadmin.php:1772
actionwp_trash_postpowerpressadmin.php:1773
actionadmin_noticespowerpressadmin.php:1797
actionadmin_menupowerpressadmin.php:2278
actionsave_postpowerpressadmin.php:3315
filterwp_insert_post_datapowerpressadmin.php:3397
actionpublish_postpowerpressadmin.php:3415
actionadmin_headpowerpressadmin.php:4192
filtercat_row_actionspowerpressadmin.php:4580
filtertag_row_actionspowerpressadmin.php:4581
actiondelete_termpowerpressadmin.php:4613
actioncategory_edit_formpowerpressadmin.php:4644
filterplugin_action_linkspowerpressadmin.php:6999
actioninitshortcodes\ShortCode.php:9
actionadmin_enqueue_scriptsviews\episode-box.php:28
filterupload_mimesviews\episode-box.php:44

Scheduled Events 4

updateProgram
powerpress_admin_migration_hook
powerpress_check_for_chartable_hook
powerpress_sync_progad_hook
Maintenance & Trust

PowerPress Podcasting plugin by Blubrry Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version5.2
Downloads6.1M

Community Trust

Rating92/100
Number of ratings231
Active installs30K
Alternatives

PowerPress Podcasting plugin by Blubrry Alternatives

Podcast Subscribe Buttons

Podcast Subscribe Buttons

podcast-subscribe-buttons

A
99

Add beautiful podcast subscribe buttons anywhere.

5K 2 CVEs
Anchor Episodes Index (Spotify for Podcasters)

Anchor Episodes Index (Spotify for Podcasters)

anchor-episodes-index

A
99

A lightweight plugin that allows you to output an anchor.fm podcast player on your site that includes an episode index. Just add two URL's on the &hellip;

1K 2 CVEs
Simple Podcasting

Simple Podcasting

simple-podcasting

A
100

Set up multiple podcast feeds using built-in WordPress posts. Includes a podcast block and podcast transcript block for the WordPress block editor.

100 No CVEs
Share Interactive Content from Spotify – By PulseShare

Share Interactive Content from Spotify – By PulseShare

pulseshare

A
100

Share interactive content from Spotify on your website seamlessly without any embed codes.

80 No CVEs
WP Podcasts Manager

WP Podcasts Manager

wp-podcasts-manager

A
99

Short Description: Import and display podcast episodes from RSS feeds including Spotify support.

50 1 CVE
Developer Profile

PowerPress Podcasting plugin by Blubrry Developer Profile

blubrry

1 plugin · 30K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
471 days
View full developer profile
Detection Fingerprints

How We Detect PowerPress Podcasting plugin by Blubrry

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/powerpress/js/powerpress-admin.js/wp-content/plugins/powerpress/js/powerpress-player.js/wp-content/plugins/powerpress/js/powerpress-subscribe-shortcode.js/wp-content/plugins/powerpress/css/powerpress-admin.css/wp-content/plugins/powerpress/css/powerpress-player.css/wp-content/plugins/powerpress/css/powerpress-subscribe.css/wp-content/plugins/powerpress/images/player/play_video_default.jpg
Script Paths
/wp-content/plugins/powerpress/js/powerpress-admin.js/wp-content/plugins/powerpress/js/powerpress-player.js/wp-content/plugins/powerpress/js/powerpress-subscribe-shortcode.js
Version Parameters
powerpress/js/powerpress-admin.js?ver=powerpress/js/powerpress-player.js?ver=powerpress/js/powerpress-subscribe-shortcode.js?ver=powerpress/css/powerpress-admin.css?ver=powerpress/css/powerpress-player.css?ver=powerpress/css/powerpress-subscribe.css?ver=

HTML / DOM Fingerprints

CSS Classes
powerpress-playerpowerpress-subscribe-button
HTML Comments
<!-- Blubrry PowerPress Plugin --><!-- end Blubrry PowerPress Plugin -->
Data Attributes
data-powerpress-feeddata-powerpress-type
JS Globals
PowerPressPlayerpowerpress_subscribe_shortcode_init
Shortcode Output
[powerpress_subscribe][powerpress_player][powerpress_playlist]
FAQ

Frequently Asked Questions about PowerPress Podcasting plugin by Blubrry