CVE-2026-13252
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
The RSS Aggregator by Feedzy plugin for WordPress up to version 5.2.1 is vulnerable to stored XSS via the 'aspectRatio' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users access affected pages.
Risk Assessment
The risk includes potential session hijacking, data theft, or malware distribution within the WordPress site, leading to loss of trust and content integrity.
Recommendation
Immediately update the RSS Aggregator by Feedzy plugin to the latest available version that fixes this vulnerability, and restrict user permissions to the minimum necessary.
Original NVD description (English source)
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

