What the vulnerability does
01Description
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
Explanation of Vulnerability in Simple Terms
02Summary
The RSS Aggregator plugin for WordPress contains a cross-site scripting (XSS) vulnerability in versions up to 5.0.11. An attacker can inject malicious scripts into RSS feed content that execute in the browsers of site visitors. The vulnerability requires user interaction—a victim must view a page containing the malicious feed data. The attack can affect multiple users and compromise site integrity.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers when they view feed content on the site.
Potential impact on your site
04Site Impact
Visitors' browsers can execute attacker-controlled scripts, potentially stealing session cookies, redirecting users, or defacing content.
Conditions required to exploit
05Prerequisites
No authentication required. A site visitor must view a page displaying the affected RSS feed content.
Key dates
06Disclosure timeline
March 7, 2026
CVE published
April 8, 2026
Record updated
