CVE-2026-57349
Deferred Deferred - Pending Action

Unauthenticated XSS in WPeMatico RSS Feed Fetcher

Vulnerability report for CVE-2026-57349, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpematico wpematico_rss_feed_fetcher to 2.8.17 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57349 is a Cross Site Scripting (XSS) vulnerability found in the WordPress WPeMatico RSS Feed Fetcher Plugin versions 2.8.17 and below.

This vulnerability allows attackers to inject malicious scripts into the website, which execute when visitors access the affected site.

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, and typically involves a privileged user role.

The vulnerability is classified as medium priority with a CVSS score of 7.1 and falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website.

These scripts can perform actions such as redirects or displaying unwanted advertisements, potentially harming your site's reputation and user trust.

Because the attack requires user interaction and often targets privileged users, it can lead to unauthorized actions or data compromise.

The vulnerability's moderate severity and potential for mass exploitation make it a significant risk if left unpatched.

Detection Guidance

This vulnerability involves Cross Site Scripting (XSS) in the WPeMatico RSS Feed Fetcher plugin versions 2.8.17 and below. Detection typically involves identifying attempts to inject malicious scripts or unusual requests targeting the plugin.

While no specific commands are provided in the resources, common detection methods include monitoring web server logs for suspicious query parameters or payloads that resemble XSS attack vectors, such as script tags or encoded JavaScript.

You can use tools like grep to search your web server access logs for suspicious patterns. For example:

  • grep -iE "<script|%3Cscript|javascript:" /var/log/apache2/access.log
  • grep -i "wpematico" /var/log/apache2/access.log

Additionally, web application firewalls (WAFs) or intrusion detection systems (IDS) with rules targeting XSS payloads can help detect exploitation attempts.

Mitigation Strategies

The recommended immediate mitigation is to update the WPeMatico RSS Feed Fetcher plugin to version 2.8.18 or later, where the vulnerability is fixed.

Until the update can be applied, Patchstack provides a mitigation rule to block attacks targeting this vulnerability. Implementing such a rule in your web application firewall or security system can help prevent exploitation.

Additionally, restricting user roles and minimizing privileged user interactions with untrusted content can reduce the risk of successful exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart