WP-Safety
CVE-2026-39505

Seriously Simple Podcasting <= 3.14.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.14.3
Patched in
21d
Time to patch

Description

The Seriously Simple Podcasting plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.14.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.14.2
PublishedMarch 26, 2026
Last updatedApril 15, 2026
Affected pluginseriously-simple-podcasting

What Changed in the Fix

Changes introduced in v3.14.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.14.2
Browse source Download .zip
Patched v3.14.3
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-39505 - Unauthorized Action in Seriously Simple Podcasting ## 1. Vulnerability Summary The **Seriously Simple Podcasting** plugin (versions <= 3.14.2) contains a missing authorization vulnerability in an AJAX handler. Specifically, the action `update_episode_embed_code` fa…

Show full research plan

Research Plan: CVE-2026-39505 - Unauthorized Action in Seriously Simple Podcasting

1. Vulnerability Summary

The Seriously Simple Podcasting plugin (versions <= 3.14.2) contains a missing authorization vulnerability in an AJAX handler. Specifically, the action update_episode_embed_code fails to implement a capability check (e.g., current_user_can()) and does not verify a WordPress nonce. This allows unauthenticated attackers to perform an unauthorized action—specifically, modifying the embed code dimensions (width and height) for any podcast episode, which can disrupt the site's layout or potentially disclose information if applied to private posts.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: update_episode_embed_code
  • HTTP Method: POST
  • Parameters:
    • action: update_episode_embed_code (Required)
    • post_id: The ID of the podcast episode to modify.
    • width: The desired width for the embed code.
    • height: The desired height for the embed code.
  • Authentication: None required (the action is likely registered via wp_ajax_nopriv_update_episode_embed_code or the wp_ajax_ handler lacks a login check and is reachable).
  • Preconditions: The attacker needs to know or guess the post_id of a podcast episode.

3. Code Flow

  1. Frontend (JS): In assets/js/admin.js (and admin.min.js), the plugin listens for changes on elements with the class .episode_embed_code_size_option.
  2. AJAX Trigger: When a change occurs, the following jQuery code (verbatim from assets/js/admin.js) is executed:
    $( '.episode_embed_code_size_option' ).on('change', function() {
    var width = $( '#episode_embed_code_width' ).val();
    var height = $( '#episode_embed_code_height' ).val();
    var post_id = $( '#post_ID' ).val();

    $.post(
        ajaxurl,
        {
            action: 'update_episode_embed_code',
            width: width,
            height: height,
            post_id: post_id
        },
        function(response) {
            if( response ) {
                $( '#episode_embed_code' ).val( response );
                $( '#episode_embed_code' ).select();
            }
        }
    );
});
  3. Backend (PHP): The request is received by admin-ajax.php. It routes to the update_episode_embed_code callback (likely in an AJAX controller or the main plugin class).
  4. Processing: The handler reads post_id, width, and height. It fails to call current_user_can( 'edit_post', $post_id ) or check_ajax_referer(). It likely updates the post meta and returns the newly generated HTML embed code.

4. Nonce Acquisition Strategy

According to the source code in `assets/js/admin.js

Research Findings
Static analysis — not yet PoC-verified

Summary

The Seriously Simple Podcasting plugin (<= 3.14.2) fails to perform authorization and nonce validation on the 'update_episode_embed_code' AJAX handler. This allows unauthenticated attackers to modify the embed code dimensions (width and height) for any podcast episode by providing a target post ID.

Vulnerable Code

// assets/js/admin.js:233
$( '.episode_embed_code_size_option' ).on('change', function() {

	var width = $( '#episode_embed_code_width' ).val();
	var height = $( '#episode_embed_code_height' ).val();
	var post_id = $( '#post_ID' ).val();

	$.post(
	    ajaxurl,
	    {
	        action: 'update_episode_embed_code',
	        width: width,
	        height: height,
	        post_id: post_id
	    },
	    function(response) {
	        if( response ) {
	            $( '#episode_embed_code' ).val( response );
	            $( '#episode_embed_code' ).select();
	        }
	    }
	);
});

Security Fix

null

Exploit Outline

The vulnerability is exploited by targeting the WordPress AJAX endpoint. 1. Target Endpoint: /wp-admin/admin-ajax.php 2. HTTP Method: POST 3. Payload: - action: update_episode_embed_code - post_id: [ID of target podcast episode] - width: [New width value, e.g., 800] - height: [New height value, e.g., 600] 4. Authentication: No authentication or specific nonce is required because the server-side handler fails to check for user capabilities (e.g., current_user_can('edit_post', $post_id)) or verify a security nonce (e.g., check_ajax_referer). 5. Outcome: The plugin updates the post meta for the specified episode with the provided dimensions and returns the updated HTML embed code.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f433c05f-d541-4e80-a99f-4f417a2738a6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database