Description
The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Taeggie Feed plugin for WordPress is vulnerable to stored cross‑site scripting because the plugin’s render() method directly inserts unescaped user‑supplied data into a <script> tag. The flaw resides in the taeggie‑feed shortcode; the name attribute supplied by the user is used as both an id attribute and a data argument to jQuery.getScript() without any escaping. As a result, an attacker who can supply a crafted name value can embed arbitrary JavaScript that will be saved in the plugin’s content and run whenever a page containing that shortcode is loaded.

Affected Systems

This vulnerability affects all installations of the Taeggie Feed WordPress plugin with version 0.1.10 or earlier. Any site that has not upgraded beyond 0.1.10 may be compromised, regardless of other plugins or themes.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS of < 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated and have contributor‑level rights or higher; after injecting malicious JavaScript, any visitor to a page containing the taeggie‑feed shortcode will execute the payload in their browser context.

Generated by OpenCVE AI on April 20, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a corrected version of the Taeggie Feed plugin newer than 0.1.10.
  • If an update cannot be applied immediately, remove or disable the taeggie‑feed shortcode from all content and restrict contributor or author roles from editing plugin content.
  • Patch the plugin code by escaping the name attribute before insertion, using WordPress functions such as esc_js() or esc_attr(), or add a custom filter that sanitizes the value before it is rendered.

Generated by OpenCVE AI on April 20, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22496 The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:30.137Z

Reserved: 2025-06-19T19:29:21.307Z

Link: CVE-2025-6382

cve-icon Vulnrichment

Updated: 2025-07-24T13:14:04.105Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:27.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses