Posted on July 06, 2026 by Eric Teubert

Security Advisory: Podlove Publisher 4.5.2

Podlove Publisher 4.5.2 fixes CVE-2026-13001, a critical vulnerability in the image cache that could allow unauthenticated remote code…

Portrait of Eric Teubert

Podlove Publisher 4.5.2 fixes CVE-2026-13001, a critical vulnerability in the image cache that could allow unauthenticated remote code execution on affected installations.

Affected Versions

Podlove Publisher versions before 4.5.2.

Fixed Version

Podlove Publisher 4.5.2.

Required Action

Update immediately.

Do not wait for automatic updates. WordPress.org plugin auto-updates may be delayed, and this release should be installed manually as soon as possible.

After updating, the plugin migration clears existing Podlove image cache files. Site owners and hosters may also clear the cache manually:

rm -rf wp-content/cache/podlove

Additional Hardening

We recommend blocking PHP execution in writable WordPress directories such as cache and upload directories.

See the Podlove Publisher security guide:

https://docs.podlove.org/podlove-publisher/guides/security

Technical Summary

The vulnerability was caused by unsafe handling of cached image file extensions.

The image cache could validate a downloaded file as an image while storing it with an executable extension derived from the remote URL path. The fixed version only uses safe image extensions, stores cached files with the validated downloaded image type, persists the validated extension in cache metadata, and flushes existing image cache files during upgrade.

Eric Teubert

Backend Developer