Security Alert Summary
The RSS Aggregator 6 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability via the className parameter. An unauthenticated attacker can craft a link that, if clicked by a user, may execute arbitrary web scripts in the context of the victim’s browser due to insufficient input sanitization and output escaping.
CVE Details
- CVE ID: CVE-2025-14375
- Affected component: RSS Aggregator 6 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress
- Affected versions: All versions up to, and including, 5.0.10
- Published: January 16, 2026 at 08:15:46 AM UTC
- Last modified: January 16, 2026 at 03:55:12 PM UTC
- CVSS v3.1: Base Score 6.1, Severity MEDIUM
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Attack vector / complexity: NETWORK / LOW
- Privileges required: NONE
- User interaction: REQUIRED
- Scope: CHANGED
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
The plugin fails to adequately sanitize and escape the value of the className parameter, resulting in a reflected cross-site scripting (XSS) vulnerability. Because the issue is reflected, an attacker must induce a user to follow a crafted link or perform an action that includes the malicious className value in a page response. The CVE description specifies insufficient input sanitization and output escaping as the root cause.
The vulnerability allows arbitrary web scripts included in the reflected input to execute in the context of the victim’s browser when they load the affected page. The entry indicates the attacker does not require authentication to supply the malicious input, but successful exploitation depends on user interaction (clicking a link or similar).
The CVE entry does not specify functions, REST API endpoints, or a fixed/patched version in the provided data.
How This Could Impact Your Website
Consider a site with multiple users: the site owner, internal staff with editor or contributor roles, and an external contractor who helps with content. An attacker could send a crafted URL to one of these users (for example, via email or chat). If the recipient clicks the link, the injected script could run in their browser while they have access to the site, potentially allowing the attacker to read page content visible to that user or perform actions available to the user in their browser session consistent with the stated confidentiality and integrity impacts.
Practical consequences include exposure of information displayed in the browser (such as internal user email addresses visible on admin or author listing pages) and an increased risk of targeted phishing or social engineering based on information gleaned from the affected pages. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available; the CVE entry does not specify a fixed version.
- Until an update is applied, limit exposure by reducing where the plugin outputs user-controllable values in public or administrative pages if feasible.
- Review and reduce unnecessary user roles, especially contributors and other non-administrative accounts that can interact with public-facing content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, such as unexpected page requests or reports of users receiving suspicious links.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.