CVE-2021-24793

Name of the Vulnerable Software and Affected Versions: WPeMatico RSS Feed Fetcher WordPress plugin versions prior to 2.6.12

Description: The issue allows high privilege users to perform Cross-Site Scripting attacks due to the Feed URL added to a campaign not being escaped before outputting it in an attribute. This is possible even when the unfiltered html capability is disallowed.

Recommendations: For versions prior to 2.6.12, update to version 2.6.12 or later to resolve the issue. As a temporary workaround, consider restricting the ability to add or edit Feed URLs in campaigns to minimize the risk of exploitation.