CVE Catalog

CVE-2026-13252

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

The RSS Aggregator by Feedzy plugin for WordPress up to version 5.2.1 is vulnerable to stored XSS via the 'aspectRatio' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users access affected pages.

Risk Assessment

The risk includes potential session hijacking, data theft, or malware distribution within the WordPress site, leading to loss of trust and content integrity.

Recommendation

Immediately update the RSS Aggregator by Feedzy plugin to the latest available version that fixes this vulnerability, and restrict user permissions to the minimum necessary.

Original NVD description (English source)

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS