Platform
php
Component
we-mp-rss
Opgelost in
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
A cross-site scripting (XSS) vulnerability has been identified in WeRSS we-mp-rss versions 1.4.0 to 1.4.8. This flaw resides within the fix_html function of the tools/fix.py file within the Article Module component. Successful exploitation allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is remotely exploitable and has been publicly disclosed.
The XSS vulnerability in WeRSS we-mp-rss allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a vulnerable page. Attackers could leverage this to steal session cookies, redirect users to malicious websites, deface the website, or execute other malicious actions. The impact is amplified if the website is used for sensitive data processing or handles user authentication, as attackers could potentially gain unauthorized access to user accounts and data. The remote accessibility of the vulnerability increases the attack surface and potential for widespread exploitation.
This vulnerability was publicly disclosed on 2026-02-20. A proof-of-concept exploit is likely to be available given the public disclosure. The LOW CVSS score indicates a relatively low probability of exploitation, but the ease of exploitation and remote accessibility should still be taken seriously. Monitor security advisories and threat intelligence feeds for any reports of active exploitation campaigns targeting WeRSS.
Websites and applications utilizing WeRSS we-mp-rss versions 1.4.0 through 1.4.8 are at risk. This includes websites that integrate WeRSS for RSS feed management and display. Shared hosting environments where multiple websites share the same server instance are particularly vulnerable, as a compromise of one website could potentially lead to the compromise of others.
• php / web:
grep -r "fix_html" /var/www/html/we-mp-rss/• generic web:
curl -I https://your-website.com/article.php?title=$(echo '<script>alert("XSS")</script>' | base64 -d) | grep 'XSS'disclosure
Exploit Status
EPSS
0.01% (1% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2825 is to upgrade WeRSS we-mp-rss to a version that includes the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the fix_html function to sanitize potentially malicious input. Web application firewalls (WAFs) configured with rules to detect and block XSS attacks can provide an additional layer of protection. Regularly review and update security policies and procedures to ensure they address XSS vulnerabilities.
Werk de we-mp-rss module bij naar een versie later dan 1.4.8 om de Cross-Site Scripting (XSS) kwetsbaarheid in de functie fix_html van het bestand tools/fix.py te verhelpen. Dit voorkomt remote manipulatie en de uitvoering van kwaadaardige scripts in de browser van de gebruiker.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2825 is a cross-site scripting (XSS) vulnerability affecting WeRSS we-mp-rss versions 1.4.0 through 1.4.8, allowing attackers to inject malicious scripts.
You are affected if your WeRSS we-mp-rss installation is running versions 1.4.0 to 1.4.8. Check your version and upgrade immediately.
Upgrade WeRSS we-mp-rss to a patched version. As a temporary workaround, implement input validation and output encoding.
While the CVSS score is LOW, the public disclosure suggests a potential for exploitation. Monitor security advisories for updates.
Refer to the WeRSS project's official website or security mailing list for the latest advisory regarding CVE-2026-2825.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.