CVE-2018-10752
Description
The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=0.6+ 1 more
- (no CPE)range: <=0.6
- (no CPE)range: <=0.6
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization on the title field in the Tagregator plugin's Add New action allows stored cross-site scripting."
Attack vector
An attacker who can access the WordPress admin panel navigates to the Tagregator settings, chooses a media type (e.g., Tweets, Instagram Media), and clicks "Add New" [ref_id=1]. In the title field, the attacker injects a JavaScript payload such as `
Affected code
The vulnerability exists in the Tagregator plugin version 0.6 for WordPress. The plugin's "Add New" action for Tweets, Instagram Media, Flickr Post, or Google+ Activities does not sanitize the title field before storing or displaying it.
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation for stored XSS in WordPress plugins typically involves sanitizing the title field with functions like `sanitize_text_field()` or `esc_html()` before storing or rendering the value [ref_id=1].
Preconditions
- authAttacker must have access to the WordPress admin panel (any role that can access Tagregator settings).
- configThe Tagregator plugin version 0.6 must be installed and activated.
Reproduction
#1. Login to admin panel. #2. Access WordPress Tagregator settings, choose Tweets/Instagram Media/Flickr Post/Google+ Activities and click "Add New" button. #3. In the title field, inject XSS payload such as `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45225/mitreexploitx_refsource_EXPLOIT-DB
- pastebin.com/ZGr5tyP2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.