CVE-2026-1216
Reflected XSS in WordPress RSS Aggregator Plugin
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_rss_aggregator | wp_rss_aggregator | to 5.0.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The RSS Aggregator plugin for WordPress has a vulnerability known as Reflected Cross-Site Scripting (XSS) in all versions up to and including 5.0.10. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied input in the 'template' parameter. As a result, an attacker who is not authenticated can inject malicious web scripts into pages. These scripts execute if a user is tricked into performing an action such as clicking a crafted link.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website. Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites. Since the attack can be performed without authentication and relies on tricking users into clicking links, it poses a significant risk to site visitors and administrators.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Reflected Cross-Site Scripting (XSS) via the 'template' parameter in the WP RSS Aggregator plugin for WordPress versions up to 5.0.10. Detection typically involves identifying attempts to inject malicious scripts through this parameter.
Since the vulnerability is triggered by user-supplied input in HTTP requests, you can monitor web server logs or network traffic for suspicious requests containing the 'template' parameter with script tags or encoded JavaScript payloads.
- Use grep or similar tools on web server access logs to find requests with the 'template' parameter containing suspicious content, for example:
- grep -i 'template=.*<script' /var/log/apache2/access.log
- Or to detect URL-encoded payloads:
- grep -i 'template=.*%3Cscript' /var/log/apache2/access.log
Additionally, you can use web application firewall (WAF) logs or intrusion detection systems (IDS) to look for reflected XSS attack patterns targeting the 'template' parameter.
No specific detection commands or tools are detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this Reflected Cross-Site Scripting vulnerability in the WP RSS Aggregator plugin, immediate steps include:'}, {'type': 'list_item', 'content': 'Update the WP RSS Aggregator plugin to a version later than 5.0.10 where the vulnerability is fixed.'}, {'type': 'list_item', 'content': "Apply security patches that add nonce verification and sanitize user inputs, as described in the patch details which include sanitizing the 'template' parameter and other shortcode attributes using WordPress functions like sanitize_text_field()."}, {'type': 'list_item', 'content': 'Ensure that output escaping functions such as esc_html() and esc_attr() are used to prevent script injection in rendered pages.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable plugin functionality to prevent exploitation.'}, {'type': 'paragraph', 'content': 'These steps are based on the security improvements made in the plugin, including nonce verification to block unauthorized requests and enhanced input sanitization to prevent injection attacks.'}] [3]