The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticated in a separate tab to a WordPress site with the plugin installed.
CPE | Name | Operator | Version |
---|---|---|---|
wp-rss-aggregator | lt | 4.20 |