Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS needing victim interaction (UI:R), with cross-context script execution (S:C) yielding limited C/I/A impact, matching a reflected/stored XSS profile.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.
AnalysisAI
Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N) and is network-reachable (AV:N) against sites running WPeMatico RSS Feed Fetcher <= 2.8.17, but it is gated by mandatory user interaction (UI:R): a victim must view or interact with the attacker-crafted content or link for the injected script to fire. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The single available scoring signal is CVSS 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network attack vector, low complexity, no privileges required, but user interaction IS required, and impacts are only Low across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or feed content containing a malicious script payload that WPeMatico renders without proper sanitization, then lures a site administrator or user into clicking the link or viewing the affected page. When the victim's browser loads the page, the injected JavaScript executes in the WordPress context, potentially hijacking the session, performing admin actions, or defacing content. … |
| Remediation | Update the WPeMatico RSS Feed Fetcher plugin to the version released after 2.8.17 (the fixed release above 2.8.17 per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpematico/vulnerability/wordpress-wpematico-rss-feed-fetcher-plugin-2-8-17-cross-site-scripting-xss-vulnerability); no exact fixed version number was included in the provided data, so confirm the patched release directly from the vendor/Patchstack advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress instances running WPeMatico plugin version 2.8.17 or earlier; disable the plugin immediately if identified; review server logs for XSS patterns and injection attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wpematico Rss Feed Fetcher
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41348
GHSA-r6pv-mx9m-vf24