CVE-2026-12098 is a stored cross-site scripting vulnerability in the PowerPress Podcasting plugin by Blubrry for WordPress. The vulnerability exists in the handling of the 'embed' Episode Meta Field, where input is insufficiently sanitized and output escaping is missing. The embed value is stored via update_post_meta() rather than through WordPress's core post content pipeline, so kses-on-save filtering is not applied. This allows authenticated users with author-level privileges or higher to inject arbitrary web scripts that execute when the injected page is accessed. The vulnerability affects all versions up to and including 11.16.8. There is no vendor advisory or patch information currently available, and no known exploits in the wild have been reported. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at the author level, no user interaction, and impact on confidentiality and integrity but not availability.

An attacker with author-level or higher privileges can inject malicious scripts into the 'embed' Episode Meta Field, leading to stored cross-site scripting. This can result in the execution of arbitrary scripts in the context of users viewing the affected pages, potentially compromising user data confidentiality and integrity. There is no impact on availability. The vulnerability bypasses WordPress's standard role-based XSS mitigations due to the way the embed value is stored.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, limit author-level access to trusted users only. Monitor official Blubrry communications for updates or patches addressing this vulnerability.