Skip to main content

Feedzy RSS Aggregator CVE-2026-13252

| EUVDEUVD-2026-41268 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Wordfence GHSA-95qw-x29w-3qx6
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS payload fires only when a victim visits the injected page (UI:R, differing from NVD's UI:N); contributor authentication required (PR:L); scope change (S:C) reflects browser-context escalation to other users.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:21 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The RSS Aggregator by Feedzy - Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain contributor-level WordPress account
Delivery
Craft malicious 'aspectRatio' XSS payload in Feedzy RSS block
Exploit
Publish or submit injected post/page
Install
Victim administrator visits injected page
C2
Payload executes in admin browser session
Execute
Exfiltrate admin session cookie
Impact
Achieve full WordPress site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum contributor-level role on the target site - unauthenticated visitors cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score captures the key risk drivers: network-accessible attack vector (AV:N), low complexity (AC:L), contributor-level authentication requirement (PR:L), and a Changed Scope (S:C) reflecting that the XSS payload executes in victims' browsers rather than the attacker's own context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor account on a target WordPress site edits or creates a post using the Feedzy RSS Aggregator block and injects a crafted JavaScript payload into the 'aspectRatio' attribute (e.g., a value that breaks out of the attribute context and inserts a script tag). The post is published or submitted for review; when a site administrator visits or previews the page, the payload executes in their browser session, exfiltrating the admin's authentication cookie to an attacker-controlled server. …
Remediation A fix has been committed to the WordPress plugin SVN repository (changeset 3586919, visible at plugins.trac.wordpress.org/changeset?...old=3586919%40feedzy-rss-feeds&new=3586919%40feedzy-rss-feeds); however, the exact released patched version number is not independently confirmed from the available data - the upstream fix available (SVN commit) means a patched release has likely been published, but the version has not been independently verified. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy