CVE-2025-53581

Vulnerability

Overview CVE-2025-53581 is a Stored Cross-Site Scripting (XSS) vulnerability in the RSS Feed Pro plugin for WordPress, affecting versions from n/a through 1. through 1.1.8. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code that persists on the server [1].

Exploitation

Prerequisites and Attack Vector Exploitation requires a privileged user (e.g., an administrator or editor) to perform an action such as clicking a crafted link or submitting a form. The vulnerability is initiated by a role with sufficient privileges, but successful execution depends on user interaction from that privileged role [1]. This type of vulnerability is a stored XSS, meaning the injected payload is permanently stored and executed when any visitor accesses the affected page.

Impact

An attacker who successfully exploits this vulnerability can inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when they visit the compromised site, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

The vendor has released version 1.1.9 which resolves the issue. Users are strongly advised to update to this version immediately. Patchstack users can enable auto-updates for vulnerable plugins. While the severity is rated Medium (CVSS 5.9), the vulnerability is known to be used in mass-exploit campaigns, so prompt patching is recommended [1].