CVE-2025-13536 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Blubrry PowerPress Podcasting plugin for WordPress. The issue arises from insufficient validation of uploaded file types in the 'powerpress_edit_post' function. While the plugin performs a check on file extensions, it fails to halt execution if the validation fails, allowing authenticated users with Contributor-level or higher privileges to upload arbitrary files to the server. This improper handling can be exploited to upload malicious payloads, potentially leading to remote code execution (RCE) on the web server hosting the WordPress site. The vulnerability affects all versions up to and including 11.15.2. The CVSS v3.1 base score is 8.8, reflecting high severity with network attack vector, low attack complexity, and privileges required but no user interaction. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high. No patches or exploit code are currently publicly available, but the vulnerability is published and should be considered critical for sites using this plugin. The flaw is particularly dangerous because Contributor-level users are common in WordPress environments, and the ability to upload arbitrary files can bypass many security controls if not mitigated.

The vulnerability allows attackers with relatively low privileges (Contributor-level) to upload arbitrary files, which can lead to remote code execution. This compromises the confidentiality, integrity, and availability of the affected WordPress site and potentially the underlying server. Attackers could deploy web shells or other malicious scripts to gain persistent access, steal sensitive data, deface websites, or use the server as a pivot point for further attacks. Organizations relying on the Blubrry PowerPress plugin for podcasting may face service disruption, data breaches, and reputational damage. Given WordPress's widespread use globally, the impact can be significant, especially for media companies, content creators, and enterprises that use podcasting as a communication channel. The vulnerability's exploitation does not require user interaction, increasing the risk of automated attacks once exploit code becomes available.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious uploads. 2. Monitor and audit file uploads closely, especially those associated with the PowerPress plugin, to detect suspicious or unauthorized files. 3. Implement web application firewall (WAF) rules to block or flag unusual file upload patterns or file types not expected by the plugin. 4. Disable or limit file upload capabilities in the plugin settings if possible until a patch is released. 5. Keep WordPress core and all plugins updated; apply patches from Blubrry promptly once available. 6. Use security plugins that can detect and quarantine malicious files or web shells. 7. Employ server-side controls such as disabling execution permissions in upload directories to prevent execution of uploaded scripts. 8. Regularly backup website data and configurations to enable quick recovery in case of compromise. 9. Educate site administrators and contributors about the risks of uploading untrusted files and enforce strict content policies.