Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin
On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
We contacted Blubrry on April 6, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on April 10, 2023. We commend the PowerPress development team for their swift response and timely patch release.
We urge users to update their sites with the latest patched version of PowerPress, version 10.0.4 at the time of this writing, as soon as possible.