CVE-2025-13536 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Blubrry PowerPress Podcasting plugin for WordPress. The vulnerability arises from insufficient validation of uploaded file types in the 'powerpress_edit_post' function. Although the plugin performs file extension checks, it does not halt execution when these checks fail, allowing authenticated users with Contributor-level access or higher to upload arbitrary files to the server. This can lead to remote code execution (RCE) if malicious files such as web shells or scripts are uploaded and executed. The vulnerability affects all versions up to and including 11.15.2. The CVSS v3.1 base score is 8.8, indicating high severity, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality, integrity, and availability. No patches are currently linked, and no exploits are known in the wild, but the risk remains significant due to the ease of exploitation by authenticated users. The vulnerability is particularly dangerous because Contributor-level users are common in WordPress environments, and the ability to upload arbitrary files can lead to full site compromise.

For European organizations, this vulnerability poses a significant risk to WordPress sites running the Blubrry PowerPress plugin, especially those that allow multiple contributors or editors to upload content. Successful exploitation can lead to remote code execution, enabling attackers to take control of the web server, access sensitive data, deface websites, or use the compromised server as a pivot point for further attacks within the network. This can result in data breaches, service disruption, reputational damage, and potential regulatory penalties under GDPR if personal data is exposed. The impact is heightened for media companies, podcast producers, and content platforms that rely on this plugin for publishing. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts increase the risk. The lack of a patch at the time of disclosure means organizations must rely on compensating controls until updates are available.

1. Immediately audit and restrict Contributor-level user permissions to only trusted individuals, minimizing the risk of malicious uploads. 2. Implement strict monitoring and logging of file uploads, especially for users with upload capabilities, to detect suspicious activity early. 3. Use web application firewalls (WAFs) with rules to block or alert on suspicious file upload patterns or execution attempts. 4. Disable or limit file execution permissions in upload directories to prevent execution of uploaded malicious files. 5. Regularly update the Blubrry PowerPress plugin and WordPress core once patches addressing this vulnerability are released. 6. Employ file integrity monitoring tools to detect unauthorized changes or uploads. 7. Consider isolating WordPress instances or using containerization to limit the blast radius of a potential compromise. 8. Educate contributors about secure upload practices and the risks of uploading untrusted files. 9. If possible, temporarily disable file upload features in the plugin until a patch is available.