How is CVE-2026-24637 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (required): A low-privilege WordPress account at the Contributor role or above is sufficient to trigger the injection; no administrative access is needed. Victim interaction (not-required): The attacker can send the malicious request directly without any action required from another user. Attack complexity (info): Exploitation is reliable and imposes no special conditions, timing requirements, or environmental dependencies.

What is the impact of CVE-2026-24637?

Reads arbitrary rows from the WordPress database, including stored user credentials, email addresses, session tokens, and private post content. Can extract plugin and theme configuration data, API keys, or other sensitive values stored in the wp_options table. Causes limited availability impact, such as degraded database query performance or minor service disruption, under the A:L rating.

Back to search

HIGHCVE-2026-24637Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-24637: WordPress PowerPress Podcasting plugin <= 11.15.10 - SQL Injection vulnerability

Q: What is CVE-2026-24637?

SQL injection vulnerability in the PowerPress Podcasting plugin for WordPress, affecting versions 11.15.10 and earlier. The vulnerability is reachable over the network and requires only a low-privilege contributor-level account, with no additional user interaction needed. Successful exploitation gives an attacker read access to sensitive data stored in the WordPress database and can cause limited disruption to availability. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

Q: Is CVE-2026-24637 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in the PowerPress Podcasting plugin for WordPress, affecting versions 11.15.10 and earlier. The vulnerability is reachable over the network and requires only a low-privilege contributor-level account, with no additional user interaction needed. Successful exploitation gives an attacker read access to sensitive data stored in the WordPress database and can cause limited disruption to availability. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-24637 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built WordPress images that bundle the PowerPress Podcasting plugin. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.5 (HIGH) and weighting that score against each customer organization's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer org is available automatically based on those policy settings.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationRequired
A low-privilege WordPress account at the Contributor role or above is sufficient to trigger the injection; no administrative access is needed.
Victim interactionNot required
The attacker can send the malicious request directly without any action required from another user.
Attack complexityDetail
Exploitation is reliable and imposes no special conditions, timing requirements, or environmental dependencies.

Blast Radius

Reads arbitrary rows from the WordPress database, including stored user credentials, email addresses, session tokens, and private post content.
Can extract plugin and theme configuration data, API keys, or other sensitive values stored in the wp_options table.
Causes limited availability impact, such as degraded database query performance or minor service disruption, under the A:L rating.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across every ingest cycle, so any upstream fix is caught and acted on immediately. Because no patched version exists yet, recommended compensating controls include isolating the WordPress container from direct public exposure behind a web application firewall, restricting Contributor-role account creation to trusted users, and applying network policy rules that limit outbound database access to only the application container. Where compliance policy permits and auto-remediation is enabled, HarborGuard will automatically trigger a patched-image rebuild, run the regression test suite, and open a PR against affected workloads the moment an upstream fix version is published.

See how HarborGuard automates this

Affected packages

Blubrry Podcasting / PowerPress Podcasting
≤ 11.15.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified