CVE-2023-6877 in RSS Aggregator Plugininfo

Summary

by MITRE • 04/07/2024

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.3.3 due to insufficient input sanitization and output escaping on the Content-Type field of error messages when retrieving an invalid RSS feed. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2023-6877 affects the RSS Aggregator by Feedzy plugin for WordPress, specifically targeting versions up to and including 4.3.3. This represents a critical security flaw that exploits a stored cross-site scripting vulnerability through the plugin's shortcode functionality. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's error handling processes, particularly when processing invalid RSS feeds. Attackers can leverage this weakness to inject malicious scripts that persist in the system and execute whenever users access affected pages, creating a significant risk for WordPress installations relying on this plugin for content aggregation.

The technical exploitation of this vulnerability occurs through the Content-Type field within error messages generated when retrieving invalid RSS feeds. When the plugin encounters malformed or problematic feed data, it fails to properly sanitize the input before displaying error information, allowing malicious scripts to be stored within the system's database. This stored payload becomes active when legitimate users access pages containing the compromised content, making the attack vector particularly dangerous as it can affect any user with access to the affected WordPress installation. The vulnerability specifically targets authenticated attackers who possess contributor-level access or higher, which is concerning given that many WordPress sites have multiple users with varying permission levels.

From an operational impact perspective, this vulnerability creates a persistent threat that can compromise user sessions and potentially lead to unauthorized access to sensitive data. The stored nature of the XSS attack means that malicious scripts remain active even after the initial injection, continuously affecting any user who accesses the compromised pages. The attack can be used to steal cookies, session tokens, or perform other malicious activities that could lead to full system compromise. Additionally, the vulnerability affects the plugin's core functionality of aggregating various content types including news feeds and YouTube video feeds, potentially allowing attackers to manipulate the content displayed to end users, creating a broader impact on website integrity and user trust.

Security professionals should note that this vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws, and represents a specific implementation weakness in input validation and output escaping processes. The attack pattern follows typical XSS exploitation techniques documented in the MITRE ATT&CK framework under the T1059.001 technique for Command and Scripting Interpreter, specifically targeting web applications through user input manipulation. Organizations should immediately update to the latest plugin version where this vulnerability has been patched, implement proper input validation measures, and consider monitoring for suspicious activity related to feed aggregation functionality. Network segmentation and user access controls should also be reviewed to limit the potential impact of such vulnerabilities, particularly given that the attack requires only contributor-level privileges to execute successfully.

Responsible

Wordfence

Reservation

12/15/2023

Disclosure

04/07/2024

Moderation

accepted

CPE

ready

EPSS

0.00352

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!