Plataforma
wordpress
Componente
seriously-simple-podcasting
Corrigido em
3.13.1
CVE-2025-66061 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Seriously Simple Podcasting plugin for WordPress. This vulnerability allows an attacker to potentially perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions of the plugin ranging from 0.0.0 through 3.13.0, and a fix is available in version 3.14.0.
A successful CSRF attack could allow an attacker to modify podcast settings, delete existing podcasts, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user whose account is targeted. If an administrator's account is compromised, the attacker could gain full control over the WordPress site and its associated data, including podcast content, user accounts, and configuration settings. This could lead to data breaches, website defacement, or denial of service.
This vulnerability was publicly disclosed on 2025-11-21. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk of exploitation.
Websites using the Seriously Simple Podcasting plugin, particularly those running older versions (0.0.0–3.13.0), are at risk. Shared hosting environments where plugin updates are not managed by the user are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'seriously-simple-podcasting/index.php' /var/www/html/• wordpress / composer / npm:
wp plugin list --status=inactive | grep seriously-simple-podcasting• wordpress / composer / npm:
wp plugin update --alldisclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-66061 is to immediately update the Seriously Simple Podcasting plugin to version 3.14.0 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, enable a WAF (Web Application Firewall) with CSRF protection rules. After upgrading, verify the fix by attempting to trigger a podcast modification action from a different browser session or incognito window to ensure the request is blocked.
Atualize para a versão 3.14.0 ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-66061 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–3.13.0 of the Seriously Simple Podcasting WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Seriously Simple Podcasting versions 0.0.0 through 3.13.0. Check your plugin version and update immediately if necessary.
Update the Seriously Simple Podcasting plugin to version 3.14.0 or later. Consider implementing a Content Security Policy (CSP) and a WAF for added protection.
There is no confirmed active exploitation of CVE-2025-66061 at this time, but the vulnerability is publicly known and could be targeted.
Please refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.