WordPress RSS Aggregator Plugin Allows Attackers to Steal Admin Session

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

WordPress RSS Aggregator Plugin Allows Attackers to Steal Admin Session

CVE-2026-2433

Summary

An attacker can trick an administrator into visiting a malicious website, allowing the attacker to execute JavaScript in the administrator's session. This could lead to unauthorized access to the WordPress site. To fix this, update the RSS Aggregator plugin to version 5.0.12 or higher.

Original title

Original description

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.

nvd CVSS3.1 6.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026