WordPress Plugin Vulnerabilities

WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.

Proof of Concept

Affects Plugins

Plugin icon
wp-rss-aggregator
Fixed in 4.19.2

References

CVE
CVE-2021-24768

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Huy Nguyen
Submitter
Huy Nguyen
Submitter website
https://www.linkedin.com/in/id-laladee/
Verified
Yes
WPVDB ID
3673e13f-7ce6-4d72-b179-ae4bab55514c

Timeline

Publicly Published
2021-11-01 (about 4 years ago)
Added
2021-11-01 (about 4 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2022-06-13
Title
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
Published
2025-03-02
Title
Random Image Selector <= 2.4 - Reflected Cross-Site Scripting
Published
2025-06-25
Title
Modern Design Library < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Published
2024-12-20
Title
Multi-column Tag Map < 17.0.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode
Published
2024-09-30
Title
BA Book Everything < 1.6.21 - Reflected Cross-Site Scripting