WordPress Plugin Vulnerabilities
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging < 5.0.12 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage
Description
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
Affects Plugins
Fixed in 5.0.12 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
Timeline
Publicly Published
2026-03-06 (about 2 months ago)
Added
2026-03-06 (about 2 months ago)
Last Updated
2026-03-07 (about 2 months ago)
WPScan 