CVE-2026-2433

Name of the Vulnerable Software and Affected Versions RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress versions through 5.0.11

Description The RSS Aggregator plugin for WordPress is susceptible to DOM-Based Cross-Site Scripting through the postMessage functionality. The admin-shell.js file registers a global message event listener without validating the origin, and directly passes user-controlled URLs to the window.open() function without URL scheme validation. This allows unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.

Recommendations Update the RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress to a version later than 5.0.11.