We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: RSS Aggregator 6 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin (CVE-2026-2433)

Nick Paliughi
On this page

Security Alert Summary

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress contains a DOM-based cross-site scripting (XSS) vulnerability in its admin JavaScript. The plugin registers a global message event listener without validating the message origin and passes attacker-controlled URLs to window.open(), allowing an attacker to execute JavaScript in the context of an authenticated administrator if they can trick that administrator into visiting a malicious site that posts crafted messages.

CVE Details

  • CVE ID: CVE-2026-2433
  • Affected component: The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress (admin-shell.js)
  • Affected versions: All versions up to, and including, 5.0.11
  • Published: March 7, 2026 at 8:16 AM (UTC)
  • Last modified: March 7, 2026 at 8:16 AM (UTC)
  • CVSS v3.1: Base Score 6.1 — MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User interaction: Authentication not required (unauthenticated attacker); Privileges required: None; User interaction: Required
  • Scope: Changed
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation (Cross-site Scripting))

Technical Details

This issue is a DOM-based cross-site scripting vulnerability originating in the plugin’s admin-shell.js. The script registers a global message event listener for postMessage events but does not validate the event.origin. In addition, the code directly passes values supplied by these messages into window.open() without validating the URL scheme. Because the listener accepts messages from any origin and uses message content to open URLs, a remote attacker can host a webpage that sends a crafted postMessage to the plugin’s admin page. If an authenticated administrator visits that malicious page and the browser delivers the message to the admin page, the attacker-controlled payload can result in arbitrary JavaScript execution in the administrator’s session context.

The vulnerability is DOM-based (client-side). The named artifacts in the report are the global message event listener in admin-shell.js, the missing event.origin check, and the use of window.open() without URL scheme validation.

How This Could Impact Your Website

Imagine a site owner managing a WordPress site with several internal staff members and an external contractor who occasionally administers content. An attacker could set up a malicious page and convince an administrator or contractor to visit it (for example via a link in an email). If that administrator has an admin tab open for the RSS Aggregator plugin or visits the plugin’s admin page while the malicious page sends a crafted postMessage, the attacker could execute script within the administrator’s browser session.

Practical consequences include limited data exposure and actions performed with the administrator’s browser context: for example, disclosure of administrative UI content or actions that operate within the admin page’s privileges. This can increase the risk of targeted phishing or social engineering against administrators and staff by exposing internal user details or enabling further browser-based abuse. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor and editor accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site and admin activity logs for unusual behavior that could indicate injected actions or session misuse.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: DA Media GigList plugin (CVE-2026-1805)
Next Post
WordPress Security Bulletin: LotekMedia Popup Form Plugin Vulnerability (CVE-2026-2420)