Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.
Published: 2026-02-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Silencesoft RSS Reader plugin version 0.6 or earlier contains a stored cross‑site scripting flaw. The issue arises because user‑supplied input is not properly escaped before rendering on web pages, enabling an attacker to inject malicious JavaScript that will execute whenever a victim visits the affected page. This vulnerability can lead to defacement, credential theft, or other client‑side compromise for any user who views the affected content. The weakness is identified as CWE‑79.

Affected Systems

The vulnerability exists in the Silencesoft RSS Reader plugin for WordPress, through all versions up to and including 0.6. The plugin is commonly deployed on websites that aggregate external RSS feeds, and the issue is present regardless of the specific WordPress version in use.

Risk and Exploitability

The CVSS score of 5.9 places this flaw in the medium severity range, and the EPSS score of less than 1% indicates a very low current exploitation likelihood. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be web‑based, requiring the attacker to supply crafted input that the plugin stores in the database and later renders unsanitized on a page viewed by unsuspecting users. Exploitation would likely involve posting a malicious RSS item or editing a feed item that the plugin displays.

Generated by OpenCVE AI on April 29, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Silencesoft RSS Reader to a version newer than 0.6
  • If an upgrade is not possible, deactivate the plugin or remove all stored feed items until a patch is applied
  • Sanitize or whitelist any custom RSS input code to prevent unsanitized JavaScript execution

Generated by OpenCVE AI on April 29, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Silence
Silence silencesoft Rss Reader
Wordpress
Wordpress wordpress
Vendors & Products Silence
Silence silencesoft Rss Reader
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.
Title WordPress Silencesoft RSS Reader Plugin <= 0.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Silence Silencesoft Rss Reader
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:39:42.969Z

Reserved: 2025-09-25T15:28:27.830Z

Link: CVE-2025-60183

cve-icon Vulnrichment

Updated: 2026-02-27T16:57:52.191Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:02.503

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:45:13Z

Weaknesses