PodloveSep 25, 2025

⚠️ Make sure your Podlove Publisher is updated to v4.2.7 (published September 20). It fixes an exploit (published September 22) that is actively being used to upload malicious code to WordPress instances.

CVE: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-podcasting-plugin-for-wordpress/podlove-podcast-publisher-426-unauthenticated-arbitrary-file-upload

Show threadadlerweb // BitBastelei
@podlove Is this really fixed? CVE talks about "unauthenticated" and move_as_original_file. None of the commits seem to add any authentication to move_as_original_file.
Sep 25, 2025 at 6:55amWeb
Show threadPodloveSep 25, 2025

@adlerweb See https://github.com/podlove/podlove-publisher/blob/67f7a6577bc27dd0d0bf11c7ae715ea6c0d9dfc3/lib/model/image.php#L434-L446

The move_as_original_file from the initial report comes after an \Podlove\is_image check. I decided to implement the fix there.

Here's the commit that hardens the is_image check: https://github.com/podlove/podlove-publisher/commit/68d99dadeb5ab4c1353a70f0abe7cc66822713d9
– Eric

podlove-publisher/lib/model/image.php at 67f7a6577bc27dd0d0bf11c7ae715ea6c0d9dfc3 · podlove/podlove-publisher

Podlove Podcast Publisher for WordPress. Contribute to podlove/podlove-publisher development by creating an account on GitHub.

GitHub