Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
Monthly
Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.
Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.