External risk intelligence

Podlove Podcast Publisher Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-13001

The vulnerability exists in a WordPress plugin. WordPress sites are web applications commonly deployed as public-facing services. Because the plugin functionality is exposed via the web server to process requests, it is likely to be reachable by an attacker over the internet.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Podlove Podcast Publisher, a WordPress plugin. The issue allows unauthenticated attackers to upload arbitrary files, which could potentially lead to remote code execution on the affected server. The main concern is confirming if this plugin is in use and, if so, its exposure.

  • Unauthenticated file uploads could allow code execution.
  • Critical vulnerability in widely used WordPress plugin.
  • Confirm relevance and exposure of the plugin.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload arbitrary files to a WordPress site by exploiting a flaw in the Podlove Podcast Publisher plugin. This occurs because the plugin, specifically in the 'podlove_handle_cache_files' function, does not properly validate file types. Successful exploitation could allow an attacker to execute malicious code on the server.

  • No authentication required.
  • Upload arbitrary files.
  • Potential for remote code execution.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated attackers could upload arbitrary files to a WordPress site's server when the Podlove Podcast Publisher plugin is vulnerable, potentially leading to remote code execution.

  • Server-side files.
  • Arbitrary file uploads.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Podlove Podcast Publisher plugin for WordPress is affected by an arbitrary file upload vulnerability. This impacts WordPress site owners and potentially platform teams responsible for maintaining the WordPress environment. The immediate priority is to locate all instances of the affected plugin, confirm their internet reachability and business criticality, and then coordinate remediation with the accountable WordPress site owner.

  • WordPress site owners should own this issue.
  • Verify internet-facing WordPress sites.
  • Plan remediation during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Podlove Podcast Publisher plugin?

Podlove Podcast Publisher is an extension for WordPress designed to help podcasters manage, distribute, and publish audio and video episodes directly from their WordPress dashboard. It handles complex tasks like media file hosting, feed management, and player integration, effectively turning a standard WordPress installation into a full-featured podcasting platform.

What does CWE-20 mean for CVE-2026-13001?

This CVE involves CWE-20, which is the Improper Input Validation weakness class. In this case, the plugin fails to verify the type of files being uploaded to the server. Because the system does not check if an uploaded file is a legitimate podcast asset or a malicious script, it blindly accepts the file, which creates the opening for an attacker to save harmful content to the server.

How is the arbitrary file upload triggered?

An attacker triggers this vulnerability by sending a specially crafted request to the plugin's 'podlove_handle_cache_files' function. Because the plugin lacks authentication requirements for this process, anyone can initiate the upload. The flaw is not triggered by standard administrative use of the plugin's dashboard settings; it is specifically the lack of validation during the request-handling process that creates the risk.

How does Halo Surface Signal rate the risk here?

Halo Surface Signal labels this as a 'Likely' risk because the vulnerability exists within a WordPress plugin. Since WordPress sites are typically deployed as public-facing web applications to reach audiences, the functionality processed by this plugin is exposed to the internet, making it reachable by unauthorized actors globally.

What should I do if I use this plugin?

The first step is to audit your WordPress environments to determine if the Podlove Podcast Publisher plugin is currently installed. If it is, verify whether the site is internet-facing and assess its business importance. Coordinate with your WordPress site owners to plan for updates or necessary configuration changes during your next maintenance window to address this security gap.

References