The RSS in Page plugin contains an improper neutralization of input during web page generation, resulting in a stored XSS flaw. An attacker can inject malicious script that is persisted and later served to unsuspecting visitors, potentially compromising the confidentiality and integrity of user sessions or defacing the site. The weakness is classified as CWE‑79.

This vulnerability is present in the WordPress RSS in Page plugin by titusbicknell, affecting all releases from the first version through version 2.9.1. No later versions are listed as affected in the current data.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The plugin is not listed in the CISA KEV catalog. The likely attack vector involves an attacker who can supply content to the plugin’s storage mechanism—such as creating or editing posts, comments, or feeds—to embed malicious JavaScript that subsequently runs in the browsers of site visitors. The absence of a high exploitation probability and lack of known active attacks reduce immediate risk but the stored nature of the payload remains a significant concern for any exposed site.