Stored Cross-Site Scripting Vulnerability in Feedzy RSS Aggregator Plugin for WordPress
CVE-2023-6801

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vendor: CVE Published:; 6 January 2024

Summary

The Feedzy RSS Aggregator plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping mechanisms. This issue affects all versions up to and including 4.3.2. Authenticated attackers with author-level permissions can exploit this vulnerability to inject malicious web scripts into pages. These scripts are executed when users access the compromised page, potentially leading to unauthorized actions or data compromise.

Affected Version(s)

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator * <= 4.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 6, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Colin Xu