Description
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-02-17
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The RSS Aggregator plugin for WordPress is vulnerable to reflected cross‑site scripting through the 'template' parameter because the input is not properly sanitized or escaped before being output. An attacker who can craft a malicious request can cause a victim browser to execute arbitrary JavaScript when the user visits a page containing the injected code. This flaw exposes the site to potential data theft, session hijacking, defacement, or the execution of further malicious payloads by the victim’s browser. The weakness is identified as CWE‑79, indicating a failure to filter or escape user‑ supplied data before rendering it in a browser environment.

Affected Systems

Rebelcode’s RSS Aggregator plugin, all versions up to and including 5.0.10, is affected. The flaw exists in the core file DisplaysStore.php and can be exploited on any WordPress site that has an outdated instance of this plugin.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity of the vulnerability. The EPSS score is less than 1 %, suggesting a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice a user to click a specially crafted link that includes the malicious 'template' value; authentication is not required for exploitation. Because the flaw is in a publicly exposed URL parameter, it can be triggered by any visitor who follows the compromised link, making it readily exploitable if the context is compelling.

Generated by OpenCVE AI on April 15, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RSS Aggregator plugin to version 5.0.11 or later, which removes the reflected XSS flaw.
  • If an immediate update is not possible, disable the 'template' feature by removing any code that passes this parameter to the DisplaysStore or by hard‑coding a safe value in the plugin configuration.
  • Implement a Web Application Firewall rule or filter that sanitizes the 'template' parameter (e.g., using wp_kses) to prevent script injection until a formal patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Rebelcode
Rebelcode rss Aggregator – Rss Import, News Feeds, Feed To Post, And Autoblogging
Wordpress
Wordpress wordpress
Vendors & Products Rebelcode
Rebelcode rss Aggregator – Rss Import, News Feeds, Feed To Post, And Autoblogging
Wordpress
Wordpress wordpress

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Rebelcode Rss Aggregator – Rss Import, News Feeds, Feed To Post, And Autoblogging
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:05.895Z

Reserved: 2026-01-19T22:02:59.426Z

Link: CVE-2026-1216

cve-icon Vulnrichment

Updated: 2026-02-17T14:30:59.856Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T10:15:57.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses