{"id":"CVE-2025-0554","details":"The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version \u003c= 4.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","modified":"2026-04-09T10:31:49.108786Z","published":"2025-01-18T06:15:28.160Z","references":[{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/39d41772-49f3-4bce-a170-cbe64ba99184?source=cve"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3217075%40podlove-podcasting-plugin-for-wordpress&new=3217075%40podlove-podcasting-plugin-for-wordpress&sfp_email=&sfph_mail="}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/podlove/podlove-publisher","events":[{"introduced":"0"},{"fixed":"b8634a979a197c51f708d4c41c4a1ddd5ee4f932"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2.0"}]}}],"versions":["1.10.10-alpha","1.10.11-alpha","1.10.14-alpha","1.10.15-alpha","1.10.16-alpha","1.10.17-alpha","1.10.18-alpha","1.10.19-alpha","1.10.20-alpha","1.10.21-alpha","1.10.22-alpha","1.10.23-alpha","1.10.3-alpha","1.10.4-alpha","1.10.5-alpha","1.10.6-alpha","1.10.7-alpha","1.10.8-alpha","1.10.9-alpha","1.11-alpha","1.11.1-alpha","1.11.2-alpha","1.9.10-alpha","1.9.11-alpha","1.9.12-alpha","1.9.3-alpha","1.9.4-alpha","1.9.5-alpha","1.9.6-alpha","1.9.8-alpha","1.9.9-alpha","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.1.0","2.1.1","2.1.2","2.1.3","2.10.0","2.11.0","2.11.1","2.11.2","2.11.3","2.11.4","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.7.0","2.8.0","2.8.1","2.8.10","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.10","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.8","2.9.9","3.0.0","3.0.1","3.0.2","3.0.4","3.1-beta1","3.1-beta2","3.1-beta3","3.1-beta4","3.1.1","3.1.1-beta1","3.1.1-beta2","3.1.1-beta3","3.1.1-beta4","3.1.1-beta5","3.1.1-beta6","3.1.1-beta7","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.18","3.1.2","3.1.3","3.1.4","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.0-beta1","3.2.0-beta2","3.2.0-beta3","3.2.0-beta4","3.2.0-beta5","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.4.0","3.4.1","3.4.2-beta1","3.4.2-beta2","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.6.0","3.6.1","3.8.0","3.8.0-beta1","3.8.0-beta2","3.8.0-beta3","3.8.0-beta4","3.8.0-beta5","3.8.1","3.8.1-beta1","3.8.1-beta2","3.8.10","3.8.11","3.8.12","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.8","3.8.9","4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.1","4.1.10","4.1.11","4.1.12","4.1.13","4.1.14","4.1.15","4.1.16","4.1.17","4.1.18","4.1.19","4.1.2","4.1.20","4.1.21","4.1.22","4.1.23","4.1.24","4.1.25","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","refs/heads/shownotes-module"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0554.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}