CVE-2025-14745
Stored XSS in WordPress RSS Aggregator Plugin Allows Script Injection
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_rss_aggregator | wp_rss_aggregator | to 5.0.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the RSS Aggregator WordPress plugin (up to version 5.0.10) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize and escape user-supplied attributes in its 'wp-rss-aggregator' shortcode. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the infected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject arbitrary web scripts into pages, which will execute in the browsers of users who visit those pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. It compromises the integrity and security of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress installation uses the RSS Aggregator plugin (wp-rss-aggregator) at version 5.0.10 or earlier. Since the vulnerability involves stored cross-site scripting via the 'wp-rss-aggregator' shortcode, detection involves identifying posts or pages containing this shortcode with potentially malicious script injections. You can search your WordPress database for posts containing the shortcode and suspicious script tags. For example, using WP-CLI, you can run: `wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[wp-rss-aggregator%' AND post_content LIKE '%<script>%'"` to find posts that include the shortcode and script tags. Additionally, monitoring HTTP requests and responses for unusual script injections in pages rendering this shortcode can help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RSS Aggregator plugin to version 5.0.11 or later, where input sanitization and output escaping have been improved to prevent this stored cross-site scripting vulnerability. If updating is not immediately possible, restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit. Additionally, consider scanning and cleaning any injected scripts from posts or pages containing the 'wp-rss-aggregator' shortcode. [2]