EIP-2026-114018

PRE-CVE

WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114018. PoCs published by Himamshu Dilip Kulkarni.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the WordPress plugin 'RSS for Yandex Turbo' version 1.29. The exploit involves injecting malicious JavaScript payloads into user input fields, which are then stored in the database and executed when triggered by mouse events.

Description

WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)

Exploits (1)

exploitdb WRITEUP

by Himamshu Dilip Kulkarni · textwebappsphp

https://www.exploit-db.com/exploits/49778

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in the WordPress plugin 'RSS for Yandex Turbo' version 1.29. The exploit involves injecting malicious JavaScript payloads into user input fields, which are then stored in the database and executed when triggered by mouse events.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin RSS for Yandex Turbo 1.29

Auth required

Prerequisites: WordPress 5.6 installed · RSS for Yandex Turbo plugin version 1.29 installed and activated · Access to WordPress admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026