CVE-2021-24988

MEDIUM

WP RSS Aggregator < 4.19.3 - Authenticated Stored Cross-Site Scripting via wprss_dismiss_addon_notice AJAX Action

Title source: llm
STIX 2.1

Description

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0742483b-6314-451b-a63a-536fd1e14845

Scores

CVSS v3 5.4
EPSS 0.0029
EPSS Percentile 21.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-352 CWE-79 CWE-862
Status published
Products (1)
wprssaggregator/wp_rss_aggregator < 4.19.3
Published Dec 27, 2021
Tracked Since Feb 18, 2026