CVE-2026-2433 in RSS Aggregator Plugin
Summary
by MITRE • 03/07/2026
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2026
The vulnerability identified as CVE-2026-2433 affects the RSS Aggregator plugin for WordPress, specifically targeting versions up to and including 5.0.11. This plugin facilitates rss importation, news feed management, feed to post conversion, and autoblogging functionalities within wordpress environments. The security flaw manifests as a dom-based cross-site scripting vulnerability that exploits the plugin's administrative javascript component known as admin-shell.js. The vulnerability stems from improper input validation and security controls within the plugin's javascript implementation, creating a dangerous attack vector that can be exploited by unauthenticated threat actors.
The technical exploitation occurs through the plugin's admin-shell.js file which establishes a global message event listener without implementing proper origin validation. This critical oversight means that the javascript code does not verify the source of incoming postMessage events, allowing malicious actors to inject arbitrary data into the plugin's administrative interface. Additionally, the code directly passes user-controlled URLs to the window.open() function without performing any url scheme validation, creating an environment where malicious urls can be executed with administrator privileges. This combination of factors creates a perfect storm for cross-site scripting attacks where the attacker can manipulate the browser's execution context through carefully crafted message payloads.
The operational impact of this vulnerability is severe as it allows unauthenticated attackers to execute arbitrary javascript code within the authenticated administrator's session context. This means that when an administrator visits a malicious website containing the crafted payload, the malicious site can send postMessage events that trigger the vulnerable code path in the rss aggregator plugin. The consequence is that the attacker can effectively hijack the administrator's session, potentially gaining complete control over the wordpress installation including the ability to modify content, install malicious plugins, change user permissions, or exfiltrate sensitive data. The attack requires social engineering to get the administrator to visit the malicious site but once successful, the impact is devastating.
This vulnerability aligns with CWE-79 which describes cross-site scripting flaws, specifically dom-based xss vulnerabilities where the attack occurs through manipulation of the document object model rather than traditional server-side input handling. The attack pattern follows the techniques documented in the mitre ATT&CK framework under T1566 for credential access and T1203 for exploitation of web applications. Organizations should immediately update to the latest plugin version where this vulnerability has been patched, implement proper input validation and origin checking in their javascript code, and consider additional security measures such as content security policies to prevent unauthorized script execution. The recommended mitigation includes thorough code review to ensure all message event listeners validate origins and all user-provided urls undergo proper scheme validation before being processed by browser functions like window.open().