Unauthenticated Arbitrary File Upload Vulnerability

A critical exploit in Podlove Publisher has been discovered and is actively being exploited in the wild. If you run Podlove Publisher on your site, you must update immediately and check if your system has already been compromised.

• Official vulnerability record: CVE-2025-10147
• Announcement on Mastodon: Podlove: "⚠️ Make sure your Podlove Publisher is updated to…" - Fosstodon

What you need to know

• The exploit is fixed in v4.2.7 of Podlove Publisher.
• Since publication of the vulnerability, there has been a widespread attack to find instances that had not been patched immediately. You need to check if your system has been compromised.

How to find out if you were attacked

If you read german, here’s a really good blog post by uberspace, including what mitigations worked for them. Here’s the short and concise version for anyone just trying to fix their own WordPress:

• upgrade if you haven’t (and you really really need to)
• look for php files in any /wp-content/cache/podlove/subdirectories. If you find any, you’ve been compromised.
• look for suspicious php files in /wp-admin/ like 3wF3e0.phpIf you find any, you’ve been compromised.

Now what?

If your site has been compromised, the best option is to use a backup (files and database) from before the attacks (and then immediately update the Publisher plugin because your backup will have an outdated version). If that’s not an option:

• Delete the whole /wp-content/cache/podlove/directory. It’s just caches that can be deleted any time.
• Delete any suspicious files as described above.
• Use any of the popular security plugins to scan for malicious files or content.
• Check database malicious activity, like added admin accounts
• Change all passwords

Be Prepared

Consider enabling auto-updates for plugins. The time between exploit publication and start of attacks was less than 24 hours, not enough to find out about a patch and update manually. I am now aware of better ways to handle the upgrade path for severe security patches, but you’re safest with auto-updates. And backups. Backups are mandatory in any case.

Speed matters. Automated updates and frequent backups are your best defense.

Stay safe,
Eric

Thanks for this!
Maybe add that passwords (DB and others) need to be changed since they might have been compromised.

Is there an estimation how impactful this hack could be? I mean do they have full access to the machine? How far did it go?

Is there any information on what was achieved with this hack? What did the hacker use it for? Filesharing? Bitcoin?

Good point, edited some.

They could upload an arbitrary PHP file and execute it. That means they could read any file on the system, and have the same edit rights as any piece of code in the WordPress system. Pretty extensive.

I haven’t seen anything conclusive. Some people reported deleted files. Others traffic spikes, suggesting filesharing.

Thank you for writing about this Eric, and fixing the exploit. I discovered it once a client site had malware. Now that we’ve cleaned that up, and Podlove files had been targeted in cache, I just now noticed that a new user was added, which I have deleted.

Am SO happy that your plugin exists, especially for this client, it has been how I was able to continue their website since they’re retired but still have a show.

Thank you again.