Threat Entry Updated 2026-03-09

CVE-2026-2433 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that…

PLUGIN And Autoblogging

CVE-2026-2433

MEDIUM CVSS 6.1 2026-03-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-26

CVE-2025-14745 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN And Autoblogging

CVE-2025-14745

MEDIUM CVSS 6.4 2026-01-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-16

CVE-2025-14375 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN And Autoblogging

CVE-2025-14375

MEDIUM CVSS 6.1 2026-01-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-10-25

CVE-2024-9583 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked.

PLUGIN And Autoblogging

CVE-2024-9583

MEDIUM CVSS 4.3 2024-10-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-6621 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds.

PLUGIN And Autoblogging

CVE-2024-6621

MEDIUM CVSS 4.3 2024-07-16

Risk Score

Open Full Technical Breakdown