{"id":"CVE-2025-1383","details":"The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","modified":"2026-04-09T10:34:39.023686Z","published":"2025-03-06T12:15:35.937Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.0/lib/modules/transcripts/transcripts.php#L223"},{"type":"WEB","url":"https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/#developers"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/00a95ae7-3c58-4e5e-aaef-c04d1dacf27f?source=cve"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset/3246867/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/podlove/podlove-publisher","events":[{"introduced":"0"},{"fixed":"3f37989e000f406ec7a484490a3d0549bb06ac91"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2.3"}]}}],"versions":["1.10.10-alpha","1.10.11-alpha","1.10.14-alpha","1.10.15-alpha","1.10.16-alpha","1.10.17-alpha","1.10.18-alpha","1.10.19-alpha","1.10.20-alpha","1.10.21-alpha","1.10.22-alpha","1.10.23-alpha","1.10.3-alpha","1.10.4-alpha","1.10.5-alpha","1.10.6-alpha","1.10.7-alpha","1.10.8-alpha","1.10.9-alpha","1.11-alpha","1.11.1-alpha","1.11.2-alpha","1.9.10-alpha","1.9.11-alpha","1.9.12-alpha","1.9.3-alpha","1.9.4-alpha","1.9.5-alpha","1.9.6-alpha","1.9.8-alpha","1.9.9-alpha","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.1.0","2.1.1","2.1.2","2.1.3","2.10.0","2.11.0","2.11.1","2.11.2","2.11.3","2.11.4","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.7.0","2.8.0","2.8.1","2.8.10","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.10","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.8","2.9.9","3.0.0","3.0.1","3.0.2","3.0.4","3.1-beta1","3.1-beta2","3.1-beta3","3.1-beta4","3.1.1","3.1.1-beta1","3.1.1-beta2","3.1.1-beta3","3.1.1-beta4","3.1.1-beta5","3.1.1-beta6","3.1.1-beta7","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.18","3.1.2","3.1.3","3.1.4","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.0-beta1","3.2.0-beta2","3.2.0-beta3","3.2.0-beta4","3.2.0-beta5","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.4.0","3.4.1","3.4.2-beta1","3.4.2-beta2","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.6.0","3.6.1","3.8.0","3.8.0-beta1","3.8.0-beta2","3.8.0-beta3","3.8.0-beta4","3.8.0-beta5","3.8.1","3.8.1-beta1","3.8.1-beta2","3.8.10","3.8.11","3.8.12","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.8","3.8.9","4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.1","4.1.10","4.1.11","4.1.12","4.1.13","4.1.14","4.1.15","4.1.16","4.1.17","4.1.18","4.1.19","4.1.2","4.1.20","4.1.21","4.1.22","4.1.23","4.1.24","4.1.25","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.2.0","4.2.1","4.2.2","refs/heads/shownotes-module"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1383.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}