The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Rssimport | Rssimport_project | * | 4.6.1 (including) |