dnkblnSep 25, 2025
Podlove

⚠️ Make sure your Podlove Publisher is updated to v4.2.7 (published September 20). It fixes an exploit (published September 22) that is actively being used to upload malicious code to WordPress instances.

CVE: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-podcasting-plugin-for-wordpress/podlove-podcast-publisher-426-unauthenticated-arbitrary-file-upload

Sep 25, 2025 at 12:13amWeb
Show threadPodloveSep 25, 2025

Shout out to @ubernauten who went the extra mile to help detect and mitigate attacks for their users.

This post may help you find out if you were affected: https://uberspace.social/@ubernauten/115264495468009257

I can now confirm this as I have seen infected instances where wp-admin contained files like `3wF3e0.php` and a `.htaccess` that should not be there.

In http logs, you might see `GET /index.php?podlove_image_cache_url=...`, followed by a call of the exploit file in the cache directory.
–Eric

Show threadadlerweb // BitBasteleiSep 25, 2025
@podlove Is this really fixed? CVE talks about "unauthenticated" and move_as_original_file. None of the commits seem to add any authentication to move_as_original_file.
Show threadPodloveSep 25, 2025

@adlerweb See https://github.com/podlove/podlove-publisher/blob/67f7a6577bc27dd0d0bf11c7ae715ea6c0d9dfc3/lib/model/image.php#L434-L446

The move_as_original_file from the initial report comes after an \Podlove\is_image check. I decided to implement the fix there.

Here's the commit that hardens the is_image check: https://github.com/podlove/podlove-publisher/commit/68d99dadeb5ab4c1353a70f0abe7cc66822713d9
– Eric

podlove-publisher/lib/model/image.php at 67f7a6577bc27dd0d0bf11c7ae715ea6c0d9dfc3 · podlove/podlove-publisher

Podlove Podcast Publisher for WordPress. Contribute to podlove/podlove-publisher development by creating an account on GitHub.

GitHub
Show threadSpreewalderleRSep 25, 2025
@podlove zu spät....
Show threadTimpactSep 25, 2025
@podlove bei mir hat jmd die Instanz fürs Filesharing benutzt. 😭 Traffic Kontingent ist jetzt erschöpft. Habe sicherheitshalber alles platt gemacht weil eh nur 3 Folgen online waren und ich mit dem Projekt nicht so richtig vorangekommen bin.
Show threadMoritz GlantzSep 25, 2025
@podlove will there be information on how to find out if you have been compromised?
Show threadotackeSep 28, 2025

@MoritzGlantz

Some signs for contamination:
- Your main index.php includes stuff behind `<?php` in line 1, something like `goto ...` (same may be true for other WordPress default files):
- You find cache.php files that contain `error_reporting(0)` followed by obfuscated code
- You find files containing `error_reporting(0); set_time_limit(0);` - even though they may not be php files - followed by all kinds of access permission changes to files

Show threadotackeSep 28, 2025
@MoritzGlantz
- Your main .htaccess file contains the rule `Allow from all` for `index.php`, `wp-blog-header.php`, ... Those files are the ones that may also contain more than a plain `<?php` in line 1.
Show threadDer BastardSep 25, 2025
@podlove Mir hat es meinen Podcast zerfickt. Meine WP-Installation mit 2795 Episoden aus 17 Jahren ist futsch.
Show threadMartin RützlerSep 25, 2025
@DerBastard @podlove ach Du Schxxxe 😱
Show threadɘigɘnstilSep 25, 2025
@martinruetzler
Krass.
@DerBastard @podlove
Show threadEric TeubertSep 25, 2025
@DerBastard @podlove 😔
Show threadElToroSep 26, 2025
@podlove @heisec vielleicht was für Heise Security.