WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress 插件跨站脚本漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 WP RSS Aggregator WordPress plugin 4.19.3之前版本存在安全漏洞，该漏洞源于插件在将数据输出到系统信息管理仪表板之前不会清理和转义数据。

N/A

N/A