Posted on July 06, 2026 by Eric Teubert
Security Advisory: Podlove Publisher 4.5.2
Podlove Publisher 4.5.2 fixes CVE-2026-13001, a critical vulnerability in the image cache that could allow unauthenticated remote code…

Podlove Publisher 4.5.2 fixes CVE-2026-13001, a critical vulnerability in the image cache that could allow unauthenticated remote code execution on affected installations.
Affected Versions
Podlove Publisher versions before 4.5.2.
Fixed Version
Podlove Publisher 4.5.2.
Required Action
Update immediately.
Do not wait for automatic updates. WordPress.org plugin auto-updates may be delayed, and this release should be installed manually as soon as possible.
After updating, the plugin migration clears existing Podlove image cache files. Site owners and hosters may also clear the cache manually:
rm -rf wp-content/cache/podlove
Additional Hardening
We recommend blocking PHP execution in writable WordPress directories such as cache and upload directories.
See the Podlove Publisher security guide:
https://docs.podlove.org/podlove-publisher/guides/security
Technical Summary
The vulnerability was caused by unsafe handling of cached image file extensions.
The image cache could validate a downloaded file as an image while storing it with an executable extension derived from the remote URL path. The fixed version only uses safe image extensions, stores cached files with the validated downloaded image type, persists the validated extension in cache metadata, and flushes existing image cache files during upgrade.
Eric Teubert
Backend Developer
