← back
CVE-2021-24988

WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting

EPSS 0.3%CWE-79
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
27 Dec 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.