CVE-2021-24988

CVE-2021-24988: WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting

Vendor Unknown

Product WP RSS Aggregator – News Feeds, Autoblogging, Youtube Video Feeds and More

Weakness CWE-79 · XSS

Published December 27, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

Key dates

02Disclosure timeline

December 27, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24988

Related vulnerabilities

04Related CVE

CVE-2024-2276 Bdtask G-Prescription Gynaecology & OBS Consultation Software Edit Venue Page cross site scripting CVE-2025-64793 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-0867 Multiple stored and reflected Cross-site Scripting in webapp CVE-2022-47431 WordPress Open RDW kenteken voertuiginformatie Plugin <= 2.0.14 is vulnerable to Cross Site Scripting (XSS) CVE-2024-41809 OpenObserve Cross-site Scripting (XSS) vulnerability in `openobserve/web/src/views/MemberSubscription.vue`