Description
Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic reflected or stored cross‑site scripting flaw in the WordPress WPeMatico RSS Feed Fetcher plugin, allowing an attacker to inject malicious scripts that run in the context of any user who views the affected page. Because the flaw is unauthenticated, an attacker does not need credentials to exploit it, increasing the potential damage to confidentiality and integrity of user sessions, including credential theft or session hijacking.

Affected Systems

Vendors: WordPress plugin developer etruel; Product: WPeMatico RSS Feed Fetcher. Versions up to and including 2.8.17 are affected. All WordPress sites using this plugin version are at risk.

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity. The EPSS score is not available, indicating insufficient data on exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation by the plugin version means an attacker can craft a malicious URL or feed entry to trigger XSS. The likely attack vector is via an unauthenticated user visiting a page that displays content from the plugin, making the exploit straightforward and low‑effort when the site is publicly accessible.

Generated by OpenCVE AI on July 2, 2026 at 17:51 UTC.

Remediation

Vendor Solution

Update the WordPress WPeMatico RSS Feed Fetcher Plugin to the latest available version (at least 2.8.18).


OpenCVE Recommended Actions

  • Upgrade to the latest plugin version (at least 2.8.18).
  • If upgrade is not immediately possible, disable the WPeMatico RSS Feed Fetcher plugin until a patched version is available.
  • Implement a site-wide Content Security Policy that restricts inline scripts and limits script sources to trusted origins to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on July 2, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Etruel
Etruel wpematico Rss Feed Fetcher
Wordpress
Wordpress wordpress
Vendors & Products Etruel
Etruel wpematico Rss Feed Fetcher
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.
Title WordPress WPeMatico RSS Feed Fetcher plugin <= 2.8.17 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Etruel Wpematico Rss Feed Fetcher
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:57:14.205Z

Reserved: 2026-06-24T12:45:24.972Z

Link: CVE-2026-57349

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')