Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1.
AnalysisAI
Reflected Cross-Site Scripting (XSS) vulnerability in the CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress affecting versions through 5.4.8.1. An unauthenticated attacker can inject malicious scripts into web pages viewed by users with no special privileges required, potentially leading to session hijacking, credential theft, or malware distribution. The CVSS 7.1 score reflects the moderate severity with network attack vector and user interaction requirement.
Technical ContextAI
This vulnerability stems from improper input neutralization (CWE-79) during dynamic web page generation in the WordPress plugin ecosystem. The Echo RSS Feed Post Generator plugin processes RSS feed data and generates WordPress posts without adequate output encoding or input validation. The reflected nature of this XSS indicates the malicious payload is not stored in the database but rather passed through request parameters (query strings, form data, or HTTP headers) and reflected back to the victim's browser without sanitization. WordPress plugins operating within the wp-admin and frontend contexts must adhere to strict sanitization (sanitize_text_field, wp_kses_post) and escaping (esc_html, esc_attr, wp_kses_data) practices. The vulnerability likely exists in RSS feed URL handling, feed content parsing, or configuration parameter processing where user-controlled input reaches output functions without proper escaping using WordPress's native sanitization APIs.
RemediationAI
Immediate remediation steps: (1) Update the Echo RSS Feed Post Generator plugin to version 5.4.8.2 or later (version number to be confirmed from vendor release notes—patch version must exceed 5.4.8.1). (2) If patch is unavailable, disable the plugin: wp-cli plugin deactivate echo-rss-feed-post-generator, then delete or quarantine. (3) For affected sites, conduct security audit of generated posts for injected scripts. Workarounds pending patch: (1) Implement WordPress security headers (Content-Security-Policy) to restrict inline script execution, reducing XSS impact scope. (2) Apply Web Application Firewall (WAF) rules to filter XSS payloads in RSS feed URLs and POST parameters. (3) Restrict RSS feed source URLs to trusted, validated domains only via plugin settings. (4) Monitor user activity logs for suspicious parameter values in feed processing requests. Refer to official CodeRevolution security advisory and WordPress.org plugin repository for patch availability and vendor guidance.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28293