CVE-2026-1216
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Description
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Analysis
Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify RSS Aggregator plugin usage and version numbers; disable the plugin on all affected systems pending remediation. Within 7 days: Contact the plugin vendor for patch availability or alternative solutions; implement WAF rules blocking malicious template parameter payloads. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today