Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging by rebelcode

    CVE-2026-2433 (GCVE-0-2026-2433)

    Vulnerability from nvd – Published: 2026-03-07 07:22 – Updated: 2026-04-08 16:45
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-09T17:31:34.331517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-09T18:28:59.710Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin\u0027s admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator\u0027s session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin\u0027s admin page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:45:01.018Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/311960e7-c4b4-4638-980f-1e08ffa621ba?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L153"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L153"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3473511%40wp-rss-aggregator%2Ftrunk\u0026old=3439393%40wp-rss-aggregator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-12T22:05:34.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-06T19:00:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2433",
        "datePublished": "2026-03-07T07:22:04.098Z",
        "dateReserved": "2026-02-12T21:50:01.000Z",
        "dateUpdated": "2026-04-08T16:45:01.018Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1216 (GCVE-0-2026-1216)

    Vulnerability from nvd – Published: 2026-02-17 09:26 – Updated: 2026-04-08 16:50
    VLAI
    Title
    RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter
    Summary
    The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    D.Sim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1216",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T14:30:54.930393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T14:31:04.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "D.Sim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027template\u0027 parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:05.895Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47a10dd4-515c-42d9-82ea-c84f8f7574c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Store/DisplaysStore.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/src/Store/DisplaysStore.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3439384%40wp-rss-aggregator%2Ftrunk\u0026old=3421137%40wp-rss-aggregator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-19T22:18:26.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-16T20:31:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u003c= 5.0.10 - Reflected Cross-Site Scripting via \u0027template\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1216",
        "datePublished": "2026-02-17T09:26:22.151Z",
        "dateReserved": "2026-01-19T22:02:59.426Z",
        "dateUpdated": "2026-04-08T16:50:05.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14745 (GCVE-0-2025-14745)

    Vulnerability from nvd – Published: 2026-01-23 05:29 – Updated: 2026-04-08 17:27
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Djaidja Moundjid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14745",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-23T15:57:24.821715Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-23T16:00:16.846Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Djaidja Moundjid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wp-rss-aggregator\u0027 shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:58.203Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-15T20:48:02.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-22T17:08:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14745",
        "datePublished": "2026-01-23T05:29:51.482Z",
        "dateReserved": "2025-12-15T20:32:38.308Z",
        "dateUpdated": "2026-04-08T17:27:58.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14375 (GCVE-0-2025-14375)

    Vulnerability from nvd – Published: 2026-01-16 07:23 – Updated: 2026-04-08 16:47
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Cross-Site Scripting via className
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Deadbee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14375",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-16T13:47:36.732451Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-16T13:48:29.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deadbee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:47:38.674Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-10T11:26:28.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-15T19:09:57.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.10 - Reflected Cross-Site Scripting via className"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14375",
        "datePublished": "2026-01-16T07:23:09.745Z",
        "dateReserved": "2025-12-09T18:52:33.809Z",
        "dateUpdated": "2026-04-08T16:47:38.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9583 (GCVE-0-2024-9583)

    Vulnerability from nvd – Published: 2024-10-23 06:45 – Updated: 2026-04-08 16:36
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 4.23.12 - Missing Authorization
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    rebelcode RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Affected: 0 , ≤ 4.23.12 (semver)
    Create a notification for this product.
    rebelcode rss_aggregator Affected: 0 , ≤ 4.23.12 (semver)
        cpe:2.3:a:rebelcode:rss_aggregator:-:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    tptNhan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rebelcode:rss_aggregator:-:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "rss_aggregator",
                "vendor": "rebelcode",
                "versions": [
                  {
                    "lessThanOrEqual": "4.23.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9583",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:29:31.529755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T13:31:48.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "tptNhan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:25.173Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/126c77fa-11c5-431f-8fc9-0375ed6c8a91?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/admin-help.php#L274"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3168468/wp-rss-aggregator/trunk/includes/admin-help.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-22T18:44:01.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 4.23.12 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9583",
        "datePublished": "2024-10-23T06:45:05.657Z",
        "dateReserved": "2024-10-07T15:36:07.784Z",
        "dateUpdated": "2026-04-08T16:36:25.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6621 (GCVE-0-2024-6621)

    Vulnerability from nvd – Published: 2024-07-16 11:00 – Updated: 2026-04-08 17:06
    VLAI
    Title
    WP RSS Aggregator <= 4.23.11 - Missing Authorization to Authenticated (Subscriber+) Feed State Update
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6621",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T13:55:00.644027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-26T18:14:45.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e37331b-0b75-41ee-b390-532efd674cc1?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L12"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L28"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php?rev=3118231"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027wprss_activate_feed_source\u0027 and \u0027wprss_pause_feed_source\u0027 functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:17.989Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e37331b-0b75-41ee-b390-532efd674cc1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L28"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php?rev=3118231"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-15T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP RSS Aggregator \u003c= 4.23.11 - Missing Authorization to Authenticated (Subscriber+) Feed State Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6621",
        "datePublished": "2024-07-16T11:00:58.101Z",
        "dateReserved": "2024-07-09T15:57:47.785Z",
        "dateUpdated": "2026-04-08T17:06:17.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0630 (GCVE-0-2024-0630)

    Vulnerability from nvd – Published: 2024-02-05 21:21 – Updated: 2026-04-08 17:09
    VLAI
    Title
    WP RSS Aggregator <= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source
    Summary
    The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Colin Xu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-07T16:09:55.625336Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-27T21:00:34.225Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.686Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3026269/wp-rss-aggregator"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Colin Xu"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:45.128Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3026269/wp-rss-aggregator"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-01-17T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-01-25T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP RSS Aggregator \u003c= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0630",
        "datePublished": "2024-02-05T21:21:53.514Z",
        "dateReserved": "2024-01-16T21:34:48.060Z",
        "dateUpdated": "2026-04-08T17:09:45.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2433 (GCVE-0-2026-2433)

    Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-04-08 16:45
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-09T17:31:34.331517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-09T18:28:59.710Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin\u0027s admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator\u0027s session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin\u0027s admin page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:45:01.018Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/311960e7-c4b4-4638-980f-1e08ffa621ba?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L153"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L153"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3473511%40wp-rss-aggregator%2Ftrunk\u0026old=3439393%40wp-rss-aggregator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-12T22:05:34.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-06T19:00:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2433",
        "datePublished": "2026-03-07T07:22:04.098Z",
        "dateReserved": "2026-02-12T21:50:01.000Z",
        "dateUpdated": "2026-04-08T16:45:01.018Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1216 (GCVE-0-2026-1216)

    Vulnerability from cvelistv5 – Published: 2026-02-17 09:26 – Updated: 2026-04-08 16:50
    VLAI
    Title
    RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter
    Summary
    The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    D.Sim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1216",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T14:30:54.930393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T14:31:04.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "D.Sim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027template\u0027 parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:05.895Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47a10dd4-515c-42d9-82ea-c84f8f7574c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Store/DisplaysStore.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/src/Store/DisplaysStore.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3439384%40wp-rss-aggregator%2Ftrunk\u0026old=3421137%40wp-rss-aggregator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-19T22:18:26.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-16T20:31:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u003c= 5.0.10 - Reflected Cross-Site Scripting via \u0027template\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1216",
        "datePublished": "2026-02-17T09:26:22.151Z",
        "dateReserved": "2026-01-19T22:02:59.426Z",
        "dateUpdated": "2026-04-08T16:50:05.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14745 (GCVE-0-2025-14745)

    Vulnerability from cvelistv5 – Published: 2026-01-23 05:29 – Updated: 2026-04-08 17:27
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Djaidja Moundjid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14745",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-23T15:57:24.821715Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-23T16:00:16.846Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Djaidja Moundjid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wp-rss-aggregator\u0027 shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:58.203Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-15T20:48:02.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-22T17:08:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14745",
        "datePublished": "2026-01-23T05:29:51.482Z",
        "dateReserved": "2025-12-15T20:32:38.308Z",
        "dateUpdated": "2026-04-08T17:27:58.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14375 (GCVE-0-2025-14375)

    Vulnerability from cvelistv5 – Published: 2026-01-16 07:23 – Updated: 2026-04-08 16:47
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Cross-Site Scripting via className
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Deadbee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14375",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-16T13:47:36.732451Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-16T13:48:29.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deadbee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:47:38.674Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-10T11:26:28.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-15T19:09:57.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.10 - Reflected Cross-Site Scripting via className"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-14375",
        "datePublished": "2026-01-16T07:23:09.745Z",
        "dateReserved": "2025-12-09T18:52:33.809Z",
        "dateUpdated": "2026-04-08T16:47:38.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9583 (GCVE-0-2024-9583)

    Vulnerability from cvelistv5 – Published: 2024-10-23 06:45 – Updated: 2026-04-08 16:36
    VLAI
    Title
    RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 4.23.12 - Missing Authorization
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    rebelcode RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Affected: 0 , ≤ 4.23.12 (semver)
    Create a notification for this product.
    rebelcode rss_aggregator Affected: 0 , ≤ 4.23.12 (semver)
        cpe:2.3:a:rebelcode:rss_aggregator:-:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    tptNhan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rebelcode:rss_aggregator:-:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "rss_aggregator",
                "vendor": "rebelcode",
                "versions": [
                  {
                    "lessThanOrEqual": "4.23.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9583",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:29:31.529755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T13:31:48.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "tptNhan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:25.173Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/126c77fa-11c5-431f-8fc9-0375ed6c8a91?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/admin-help.php#L274"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3168468/wp-rss-aggregator/trunk/includes/admin-help.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-22T18:44:01.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 4.23.12 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9583",
        "datePublished": "2024-10-23T06:45:05.657Z",
        "dateReserved": "2024-10-07T15:36:07.784Z",
        "dateUpdated": "2026-04-08T16:36:25.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6621 (GCVE-0-2024-6621)

    Vulnerability from cvelistv5 – Published: 2024-07-16 11:00 – Updated: 2026-04-08 17:06
    VLAI
    Title
    WP RSS Aggregator <= 4.23.11 - Missing Authorization to Authenticated (Subscriber+) Feed State Update
    Summary
    The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6621",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T13:55:00.644027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-26T18:14:45.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e37331b-0b75-41ee-b390-532efd674cc1?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L12"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L28"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php?rev=3118231"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027wprss_activate_feed_source\u0027 and \u0027wprss_pause_feed_source\u0027 functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:17.989Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e37331b-0b75-41ee-b390-532efd674cc1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php#L28"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/includes/feed-states.php?rev=3118231"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-15T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP RSS Aggregator \u003c= 4.23.11 - Missing Authorization to Authenticated (Subscriber+) Feed State Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6621",
        "datePublished": "2024-07-16T11:00:58.101Z",
        "dateReserved": "2024-07-09T15:57:47.785Z",
        "dateUpdated": "2026-04-08T17:06:17.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0630 (GCVE-0-2024-0630)

    Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 17:09
    VLAI
    Title
    WP RSS Aggregator <= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source
    Summary
    The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Colin Xu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-07T16:09:55.625336Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-27T21:00:34.225Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.686Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3026269/wp-rss-aggregator"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
              "vendor": "rebelcode",
              "versions": [
                {
                  "lessThanOrEqual": "4.23.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Colin Xu"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:45.128Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3026269/wp-rss-aggregator"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-01-17T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-01-25T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WP RSS Aggregator \u003c= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0630",
        "datePublished": "2024-02-05T21:21:53.514Z",
        "dateReserved": "2024-01-16T21:34:48.060Z",
        "dateUpdated": "2026-04-08T17:09:45.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }