[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_7UhKvzLN3g4-wgrRBTawVEBeew4ZNlkPYrwurFvJHA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39505","seriously-simple-podcasting-missing-authorization-3","Seriously Simple Podcasting \u003C= 3.14.2 - Missing Authorization","The Seriously Simple Podcasting plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.14.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","seriously-simple-podcasting",null,"\u003C=3.14.2","3.14.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-26 00:00:00","2026-04-15 21:11:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff433c05f-d541-4e80-a99f-4f417a2738a6?source=api-prod",21,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fcss\u002Fadmin.css","assets\u002Fadmin\u002Fcss\u002Fadmin.min.css","assets\u002Fadmin\u002Fscss\u002F_episode-meta-sidebar.scss","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fadmin.min.js","build\u002Findex.asset.php","build\u002Findex.js","php\u002Fclasses\u002Fcontrollers\u002Fclass-assets-controller.php","researched",false,3,"# Research Plan: CVE-2026-39505 - Unauthorized Action in Seriously Simple Podcasting\n\n## 1. Vulnerability Summary\nThe **Seriously Simple Podcasting** plugin (versions \u003C= 3.14.2) contains a missing authorization vulnerability in an AJAX handler. Specifically, the action `update_episode_embed_code` fails to implement a capability check (e.g., `current_user_can()`) and does not verify a WordPress nonce. This allows unauthenticated attackers to perform an unauthorized action—specifically, modifying the embed code dimensions (width and height) for any podcast episode, which can disrupt the site's layout or potentially disclose information if applied to private posts.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `update_episode_embed_code`\n- **HTTP Method**: `POST`\n- **Parameters**:\n  - `action`: `update_episode_embed_code` (Required)\n  - `post_id`: The ID of the podcast episode to modify.\n  - `width`: The desired width for the embed code.\n  - `height`: The desired height for the embed code.\n- **Authentication**: None required (the action is likely registered via `wp_ajax_nopriv_update_episode_embed_code` or the `wp_ajax_` handler lacks a login check and is reachable).\n- **Preconditions**: The attacker needs to know or guess the `post_id` of a podcast episode.\n\n## 3. Code Flow\n1. **Frontend (JS)**: In `assets\u002Fjs\u002Fadmin.js` (and `admin.min.js`), the plugin listens for changes on elements with the class `.episode_embed_code_size_option`.\n2. **AJAX Trigger**: When a change occurs, the following jQuery code (verbatim from `assets\u002Fjs\u002Fadmin.js`) is executed:\n   ```javascript\n   $( '.episode_embed_code_size_option' ).on('change', function() {\n       var width = $( '#episode_embed_code_width' ).val();\n       var height = $( '#episode_embed_code_height' ).val();\n       var post_id = $( '#post_ID' ).val();\n\n       $.post(\n           ajaxurl,\n           {\n               action: 'update_episode_embed_code',\n               width: width,\n               height: height,\n               post_id: post_id\n           },\n           function(response) {\n               if( response ) {\n                   $( '#episode_embed_code' ).val( response );\n                   $( '#episode_embed_code' ).select();\n               }\n           }\n       );\n   });\n   ```\n3. **Backend (PHP)**: The request is received by `admin-ajax.php`. It routes to the `update_episode_embed_code` callback (likely in an AJAX controller or the main plugin class).\n4. **Processing**: The handler reads `post_id`, `width`, and `height`. It fails to call `current_user_can( 'edit_post', $post_id )` or `check_ajax_referer()`. It likely updates the post meta and returns the newly generated HTML embed code.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source code in `assets\u002Fjs\u002Fadmin.js","The Seriously Simple Podcasting plugin (\u003C= 3.14.2) fails to perform authorization and nonce validation on the 'update_episode_embed_code' AJAX handler. This allows unauthenticated attackers to modify the embed code dimensions (width and height) for any podcast episode by providing a target post ID.","\u002F\u002F assets\u002Fjs\u002Fadmin.js:233\n$( '.episode_embed_code_size_option' ).on('change', function() {\n\n\tvar width = $( '#episode_embed_code_width' ).val();\n\tvar height = $( '#episode_embed_code_height' ).val();\n\tvar post_id = $( '#post_ID' ).val();\n\n\t$.post(\n\t    ajaxurl,\n\t    {\n\t        action: 'update_episode_embed_code',\n\t        width: width,\n\t        height: height,\n\t        post_id: post_id\n\t    },\n\t    function(response) {\n\t        if( response ) {\n\t            $( '#episode_embed_code' ).val( response );\n\t            $( '#episode_embed_code' ).select();\n\t        }\n\t    }\n\t);\n});","null","The vulnerability is exploited by targeting the WordPress AJAX endpoint. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. HTTP Method: POST\n3. Payload: \n   - action: update_episode_embed_code\n   - post_id: [ID of target podcast episode]\n   - width: [New width value, e.g., 800]\n   - height: [New height value, e.g., 600]\n4. Authentication: No authentication or specific nonce is required because the server-side handler fails to check for user capabilities (e.g., current_user_can('edit_post', $post_id)) or verify a security nonce (e.g., check_ajax_referer).\n5. Outcome: The plugin updates the post meta for the specified episode with the provided dimensions and returns the updated HTML embed code.","gemini-3-flash-preview","2026-04-17 22:43:27","2026-04-17 22:44:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.14.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseriously-simple-podcasting\u002Ftags\u002F3.14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseriously-simple-podcasting.3.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseriously-simple-podcasting\u002Ftags\u002F3.14.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseriously-simple-podcasting.3.14.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseriously-simple-podcasting\u002Ftags"]