Scan free
MEDIUMCVE-2025-66061CVSS 4.3

CVE-2025-66061: CSRF in Seriously Simple Podcasting

Platform

wordpress

Component

seriously-simple-podcasting

Fixed in

3.13.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-66061 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Seriously Simple Podcasting plugin for WordPress. This vulnerability allows an attacker to potentially perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions of the plugin ranging from 0.0.0 through 3.13.0, and a fix is available in version 3.14.0.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to modify podcast settings, delete existing podcasts, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user whose account is targeted. If an administrator's account is compromised, the attacker could gain full control over the WordPress site and its associated data, including podcast content, user accounts, and configuration settings. This could lead to data breaches, website defacement, or denial of service.

Exploitation Context

This vulnerability was publicly disclosed on 2025-11-21. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentseriously-simple-podcasting
Vendorwordfence
Affected rangeFixed in
0.0.0 – 3.13.03.13.1

Package Information

Active installs
30KPopular
Plugin rating
4.7
Requires WordPress
5.3+
Compatible up to
7.0
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-66061 is to immediately update the Seriously Simple Podcasting plugin to version 3.14.0 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, enable a WAF (Web Application Firewall) with CSRF protection rules. After upgrading, verify the fix by attempting to trigger a podcast modification action from a different browser session or incognito window to ensure the request is blocked.

How to fix

Update to version 3.14.0, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-66061 — CSRF in Seriously Simple Podcasting?

CVE-2025-66061 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–3.13.0 of the Seriously Simple Podcasting WordPress plugin, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-66061 in Seriously Simple Podcasting?

You are affected if you are using Seriously Simple Podcasting versions 0.0.0 through 3.13.0. Check your plugin version and update immediately if necessary.

How do I fix CVE-2025-66061 in Seriously Simple Podcasting?

Update the Seriously Simple Podcasting plugin to version 3.14.0 or later. Consider implementing a Content Security Policy (CSP) and a WAF for added protection.

Is CVE-2025-66061 being actively exploited?

There is no confirmed active exploitation of CVE-2025-66061 at this time, but the vulnerability is publicly known and could be targeted.

Where can I find the official Seriously Simple Podcasting advisory for CVE-2025-66061?

Please refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs