Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS payload fires only when a victim visits the injected page (UI:R, differing from NVD's UI:N); contributor authentication required (PR:L); scope change (S:C) reflects browser-context escalation to other users.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The RSS Aggregator by Feedzy - Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum contributor-level role on the target site - unauthenticated visitors cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score captures the key risk drivers: network-accessible attack vector (AV:N), low complexity (AC:L), contributor-level authentication requirement (PR:L), and a Changed Scope (S:C) reflecting that the XSS payload executes in victims' browsers rather than the attacker's own context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor account on a target WordPress site edits or creates a post using the Feedzy RSS Aggregator block and injects a crafted JavaScript payload into the 'aspectRatio' attribute (e.g., a value that breaks out of the attribute context and inserts a script tag). The post is published or submitted for review; when a site administrator visits or previews the page, the payload executes in their browser session, exfiltrating the admin's authentication cookie to an attacker-controlled server. … |
| Remediation | A fix has been committed to the WordPress plugin SVN repository (changeset 3586919, visible at plugins.trac.wordpress.org/changeset?...old=3586919%40feedzy-rss-feeds&new=3586919%40feedzy-rss-feeds); however, the exact released patched version number is not independently confirmed from the available data - the upstream fix available (SVN commit) means a patched release has likely been published, but the version has not been independently verified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41268
GHSA-95qw-x29w-3qx6