The RSS Aggregator plugin for WordPress is affected by a Stored Cross‑Site Scripting vulnerability, classified as CWE‑79, that allows an authenticated user with contributor-level access to inject arbitrary JavaScript into pages via the wp‑rss‑aggregator shortcode. This flaw is the result of insufficient input sanitization and output escaping of shortcode attributes, enabling the attacker to execute scripts whenever a user loads the affected page. Consequently, the attacker can deface content, steal session cookies, or perform other client‑side attacks against site visitors.

The vulnerability applies to all releases of the Rebelcode RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin up to and including version 5.0.10. WordPress sites running a WordPress installation and any contained plugin installation of this plugin version are impacted.

The CVSS score for this flaw is moderate at 6.4 and the EPSS score is less than 1%, indicating a low probability of observed exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must first obtain contributor or higher access on the WordPress site and then use the plugin’s shortcode editor to insert malicious code via the shortcode attributes. Successful exploitation would occur when a visitor views a page that contains the compromised shortcode. No additional network exposure or remote code execution is required, but the impact can be significant for end‑users.