The plugin does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.
Add an URL to Blacklist (RSS Aggregator > Tools > Blacklist) with the following payload int he "URL to blacklist" field: <img/src/onerror=alert(/XSS/)>
Huy Nguyen
Huy Nguyen
Yes
2021-11-01 (about 1 years ago)
2021-11-01 (about 1 years ago)
2022-04-09 (about 9 months ago)