Critical Vulnerability in Podlove Podcast Publisher Plugin Allows Unauthenticated File Uploads Leading to RCE
A critical vulnerability, CVE-2026-13001, in the Podlove Podcast Publisher plugin for WordPress, impacting versions up to and including 4.5.1, allows unauthenticated attackers to upload arbitrary files due to missing file type validation, potentially leading to remote code execution on the server.
A severe vulnerability, identified as CVE-2026-13001, affects the Podlove Podcast Publisher plugin for WordPress, specifically in all versions up to and including 4.5.1. This flaw stems from inadequate file type validation within the podlove_handle_cache_files function, which attackers can exploit. This allows unauthenticated adversaries to upload arbitrary files, including malicious scripts such as web shells, directly to the vulnerable WordPress site's server. The absence of proper validation grants threat actors a direct path to establish persistence, execute arbitrary code, and potentially gain full control over the compromised web server. Such an attack could lead to data exfiltration, website defacement, or further compromise of the hosting environment.
Attack Chain
- An unauthenticated attacker identifies a WordPress instance running the vulnerable Podlove Podcast Publisher plugin.
- The attacker crafts an HTTP POST request targeting the
podlove_handle_cache_filesfunction endpoint on the vulnerable server. - Within this POST request, the attacker includes a malicious file, such as a PHP web shell (e.g.,
shell.php), bypassing typical file type checks. - Due to the missing file type validation in the plugin's
podlove_handle_cache_filesfunction, the server accepts and processes the malicious file upload. - The plugin saves the uploaded malicious file to a publicly accessible directory on the web server.
- The attacker then navigates to the URL of the uploaded web shell (e.g.,
https://example.com/wp-content/uploads/cache/shell.php) via a web browser. - Upon accessing the web shell, the attacker can execute arbitrary commands on the underlying server, leveraging the web server's privileges.
- Successful command execution grants the attacker remote code execution capabilities, enabling further compromise of the system or network.
Impact
Successful exploitation of CVE-2026-13001 results in unauthenticated remote code execution on the affected WordPress server. This critical access allows attackers to completely compromise the web server, leading to potential data breaches, website defacement, denial-of-service attacks, or using the compromised server as a launching pad for further attacks within the network. Organizations running the vulnerable plugin face significant risks of operational disruption, reputational damage, and severe financial and legal repercussions due to data loss or exposure.
Recommendation
- Patch CVE-2026-13001 immediately by updating the Podlove Podcast Publisher plugin to a version greater than 4.5.1.
- Deploy the provided Sigma rule to your SIEM system to detect suspicious file uploads targeting WordPress.
- Enable comprehensive web server access logging, particularly for HTTP POST requests and unusual file extensions (e.g.,
.php,.phar,.jsp) in upload directories.
Detection coverage 1
Detects CVE-2026-13001 Exploitation - Malicious File Upload via Podlove Podcast Publisher
highDetects exploitation of CVE-2026-13001 by monitoring HTTP POST requests to the Podlove Podcast Publisher plugin's cache file handler with suspicious file extensions, indicative of arbitrary file upload attempts.
Detection queries are available on the platform. Get full rules →