CVE-2026-2433

MEDIUM 6.1

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.

CWE	CWE-79
Vendor	rebelcode
Product	rss aggregator – rss import, news feeds, feed to post, and autoblogging
Published	Mar 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for rebelcode rss aggregator – rss import, news feeds, feed to post, and autoblogging

Be the first to know when new medium vulnerabilities affecting rebelcode rss aggregator – rss import, news feeds, feed to post, and autoblogging are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

rebelcode / RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

0 ≤ 5.0.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Osvaldo Noe Gonzalez Del Rio