Description
Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator: from n/a through <= 2.1.
Published: 2025-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the WordPress Google News Editors Picks Feed Generator allows an attacker to craft a request that stores malicious JavaScript into the feed data. The injected code would then execute whenever a user views the affected feed, resulting in persistent XSS.

Affected Systems

The vulnerability affects the PPDPurveyor Google News Editors Picks Feed Generator plugin for WordPress, with affected releases up to and including version 2.1. The plugin is installed on WordPress sites that have not been patched to a later version.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderately high severity, while the EPSS score of less than 1% suggests a low likelihood of real‑world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a CSRF request using a user who has permission to edit the feed, which the attacker can trigger by luring the target into visiting a malicious URL. The result is stored XSS that will affect all visitors to the feed.

Generated by OpenCVE AI on May 2, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google News Editors Picks Feed Generator to the latest version (2.2 or newer).
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the attack surface.
  • Remove any existing injected JavaScript from the stored feed content and verify the feed contents are clean before re‑enabling the plugin or publishing new content.

Generated by OpenCVE AI on May 2, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7830 Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator allows Stored XSS. This issue affects Google News Editors Picks Feed Generator: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator allows Stored XSS. This issue affects Google News Editors Picks Feed Generator: from n/a through 2.1. Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0002}

 epss

{'score': 0.00028}

Wed, 19 Mar 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ppdpurveyor
Ppdpurveyor google News Editors Picks Feed Generator
CPEs cpe:2.3:a:ppdpurveyor:google_news_editors_picks_feed_generator:*:*:*:*:*:wordpress:*:*
Vendors & Products Ppdpurveyor
Ppdpurveyor google News Editors Picks Feed Generator

Wed, 12 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator allows Stored XSS. This issue affects Google News Editors Picks Feed Generator: from n/a through 2.1.
Title WordPress Google News Editors Picks Feed Generator plugin <= 2.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ppdpurveyor Google News Editors Picks Feed Generator
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.247Z

Reserved: 2025-03-11T08:08:42.174Z

Link: CVE-2025-28860

cve-icon Vulnrichment

Updated: 2025-03-12T15:03:32.048Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:43.193

Modified: 2026-04-23T15:26:27.363

Link: CVE-2025-28860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses