Analysis Report Folder Analysis cache/wp-rss-aggregator_5.0.10 → cache/wp-rss-aggregator_5.0.11 - CVE-2025-14375

Shared security patch analysis results

AI Used: claude_cli haiku
Share this analysis
Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning
Showing 0 to 0 of 0 results
core/modules/renderer.php AI: 1 vulnerabilities 1 true positive 
--- cache/wp-rss-aggregator_5.0.10/core/modules/renderer.php	2026-01-16 00:19:53.335210506 +0000+++ cache/wp-rss-aggregator_5.0.11/core/modules/renderer.php	2026-01-16 00:21:24.124907744 +0000@@ -55,6 +55,12 @@ 				die(); 			} +			$nonce = $data['_wpnonce'] ?? '';+			if ( ! wp_verify_nonce( $nonce, 'wpra_render_display' ) ) {+				status_header( 403 );+				echo 'Nonce verification failed.';+				die();+			} 			// The $data array now contains all persisted shortcode attributes 			// from hx-vals, including id, page, sources, limit, exclude, pagination, template. 			// Pass the whole $data array to renderArgs.
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - core/modules/renderer.php Lines 58-63

Old Code:
```php
// No nonce verification present
// Direct processing of $data array without CSRF protection
```

Fixed Code:
```php
$nonce = $data['_wpnonce'] ?? '';
if ( ! wp_verify_nonce( $nonce, 'wpra_render_display' ) ) {
	status_header( 403 );
	echo 'Nonce verification failed.';
	die();
}
```

Explanation:
The original code was vulnerable to CSRF attacks because it processed user-supplied data from the `$data` array without verifying a WordPress nonce token. This allowed attackers to craft malicious requests that could execute the renderer functionality on behalf of authenticated users without their knowledge or consent. The fix implements proper nonce verification using `wp_verify_nonce()` with the 'wpra_render_display' action, which ensures that requests originate from legitimate sources within the WordPress application. The function checks if the nonce is valid and returns a 403 Forbidden status if verification fails, preventing unauthorized CSRF attacks.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
core/src/Display/LayoutTrait.php AI: 2 vulnerabilities 2 true positives 
--- cache/wp-rss-aggregator_5.0.10/core/src/Display/LayoutTrait.php	2026-01-16 00:19:53.339210757 +0000+++ cache/wp-rss-aggregator_5.0.11/core/src/Display/LayoutTrait.php	2026-01-16 00:21:25.056966156 +0000@@ -131,7 +131,7 @@  		return sprintf( 			'<span class="feed-author">%s</span>',-			rtrim( $this->ds->authorPrefix ) . ' ' . $authorName+			esc_html( rtrim( $this->ds->authorPrefix ) . ' ' . $authorName ) 		); 	} @@ -207,10 +207,17 @@ 		}  		$tag = $block ? 'div' : 'span';+		$prefix = esc_html( $this->ds->sourcePrefix );++		// $srcName is already HTML from renderLink, so it doesn't need escaping again.+		// If linking is disabled, $srcName is just the source name string, which needs escaping.+		if ( ! ( $this->ds->linkSource && $links && ! empty( $url ) ) ) {+			$srcName = esc_html( $srcName );+		}  		return <<<HTML             <{$tag} class="feed-source">-                {$this->ds->sourcePrefix} {$srcName}+                {$prefix} {$srcName}             </{$tag}>         HTML; 	}
AI Analysis
Analyzing the security fixes in the provided diff:

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE
XSS (Cross-Site Scripting) - CWE-79 - core/src/Display/LayoutTrait.php - Lines 134

Old Code:
```php
rtrim( $this->ds->authorPrefix ) . ' ' . $authorName
```

Fixed Code:
```php
esc_html( rtrim( $this->ds->authorPrefix ) . ' ' . $authorName )
```

Explanation:
The old code concatenated user-controlled data (`$this->ds->authorPrefix` and `$authorName`) directly into HTML output without escaping. This allows attackers to inject arbitrary HTML/JavaScript through these fields, leading to reflected or stored XSS attacks. The fix wraps the concatenated string with `esc_html()`, which escapes HTML entities and prevents script execution.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE
XSS (Cross-Site Scripting) - CWE-79 - core/src/Display/LayoutTrait.php - Lines 220

Old Code:
```php
{$this->ds->sourcePrefix} {$srcName}
```

Fixed Code:
```php
$prefix = esc_html( $this->ds->sourcePrefix );
// ... conditional escaping of $srcName based on linking status ...
{$prefix} {$srcName}
```

Explanation:
The old code directly embedded `$this->ds->sourcePrefix` into HTML output without escaping. The fix properly escapes `sourcePrefix` using `esc_html()`. Additionally, the fix adds conditional logic to escape `$srcName` only when it's plain text (when linking is disabled), avoiding double-escaping when `$srcName` is already HTML-safe from `renderLink()`. This prevents XSS while maintaining proper HTML rendering for linked content.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
core/src/Display/ListLayout.php AI: 1 vulnerabilities 1 false positive 
--- cache/wp-rss-aggregator_5.0.10/core/src/Display/ListLayout.php	2026-01-16 00:19:53.339210757 +0000+++ cache/wp-rss-aggregator_5.0.11/core/src/Display/ListLayout.php	2026-01-16 00:21:25.064966657 +0000@@ -2,10 +2,10 @@  namespace RebelCode\Aggregator\Core\Display; -use RebelCode\Aggregator\Core\Display\DisplayState;-use RebelCode\Aggregator\Core\Display\LayoutInterface;-use RebelCode\Aggregator\Core\Display\LayoutTrait; use RebelCode\Aggregator\Core\IrPost;+use RebelCode\Aggregator\Core\Display\LayoutTrait;+use RebelCode\Aggregator\Core\Display\LayoutInterface;+use RebelCode\Aggregator\Core\Display\DisplayState;  class ListLayout implements LayoutInterface { @@ -33,9 +33,10 @@  		$listStart = ( $state->page - 1 ) * $this->ds->numItems + 1; 		$listItems = $this->renderItems( $posts, fn ( IrPost $post ) => $this->item( $post ) );+		$htmlClass = esc_attr( $this->ds->htmlClass );  		return <<<HTML-            <div class="wp-rss-aggregator wpra-list-template {$this->ds->htmlClass}">+            <div class="wp-rss-aggregator wpra-list-template {$htmlClass}">                 <{$listType} class="rss-aggregator wpra-item-list {$listClass}" start="{$listStart}">                     {$listItems}                 </{$listType}>@@ -44,8 +45,10 @@ 	}  	private function item( IrPost $post ): string {+		$htmlClass = esc_attr( $this->ds->htmlClass );+ 		return <<<HTML-            <li class="wpra-item feed-item {$this->ds->htmlClass}">+            <li class="wpra-item feed-item {$htmlClass}">                 {$this->renderTitle($post)}                  <div class="wprss-feed-meta">
AI Analysis
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/src/Display/ListLayout.php Lines 36, 48

Old Code:
```php
return <<<HTML
            <div class="wp-rss-aggregator wpra-list-template {$this->ds->htmlClass}">
```

and

```php
return <<<HTML
            <li class="wpra-item feed-item {$this->ds->htmlClass}">
```

Fixed Code:
```php
$htmlClass = esc_attr( $this->ds->htmlClass );

return <<<HTML
            <div class="wp-rss-aggregator wpra-list-template {$htmlClass}">
```

and

```php
$htmlClass = esc_attr( $this->ds->htmlClass );

return <<<HTML
            <li class="wpra-item feed-item {$htmlClass}">
```

Explanation:
The original code directly interpolated `$this->ds->htmlClass` into HTML class attributes without sanitization. This is a reflected/stored XSS vulnerability because an attacker could inject malicious JavaScript through the `htmlClass` property. The fix applies `esc_attr()`, a WordPress function that properly escapes output for use in HTML attributes by converting special characters to HTML entities, preventing JavaScript execution. The vulnerability existed in both the `render()` method (line 36) and the `item()` method (line 48).
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
core/src/IrPost/IrImage.php AI: 2 vulnerabilities 2 false positives 
--- cache/wp-rss-aggregator_5.0.10/core/src/IrPost/IrImage.php	2026-01-16 00:19:53.339210757 +0000+++ cache/wp-rss-aggregator_5.0.11/core/src/IrPost/IrImage.php	2026-01-16 00:21:25.717007519 +0000@@ -5,6 +5,7 @@ namespace RebelCode\Aggregator\Core\IrPost;  use WP_Post;+use WP_Error; use RebelCode\Aggregator\Core\Utils\Size; use RebelCode\Aggregator\Core\Utils\Result; use RebelCode\Aggregator\Core\Utils\Arrays;@@ -62,128 +63,237 @@ 	 * @return Result<int> The result, containing the ID of the downloaded image if successful. 	 */ 	public function download( int $postId = 0 ): Result {-		if ( ! function_exists( 'media_sideload_image' ) ) {+		if ( ! function_exists( 'media_handle_sideload' ) ) { 			require_once ABSPATH . 'wp-admin/includes/media.php'; 			require_once ABSPATH . 'wp-admin/includes/file.php'; 			require_once ABSPATH . 'wp-admin/includes/image.php'; 		} -		// Image has an ID already, so it should exist in the media library+		// Already exists by ID. 		if ( $this->id !== null ) { 			$existing = get_post( $this->id ); 			if ( $existing instanceof WP_Post ) { 				return Result::Ok( $existing->ID );-			} else {-				return Result::Err( "Image #{$this->id} does not exist in the media library." ); 			}+			return Result::Err( "Image #{$this->id} does not exist in the media library." ); 		} +		// Base64 / Data URI. 		if ( strpos( $this->url, 'data:image' ) === 0 ) {-			global $wp_filesystem;-			if ( ! $wp_filesystem ) {-				require_once ABSPATH . 'wp-admin/includes/file.php';-				WP_Filesystem();-			}+			return $this->download_base64_image( $postId );+		} -			list($type, $data) = explode( ';', $this->url );-			list(, $data)      = explode( ',', $data );-			$binary = base64_decode( $data );-			$hash = hash( 'sha256', $binary );--			$existing = get_posts(-				array(-					'post_type' => 'attachment',-					'post_status' => 'any',-					'meta_query' => array(-						array(-							'key' => 'wprss_source_data_hash',-							'value' => $hash,-						),+		// Already imported by URL.+		$existing = query_posts(+			array(+				'post_type' => 'attachment',+				'post_status' => 'any',+				'meta_query' => array(+					array(+						'key' => ImportedMedia::SOURCE_URL,+						'value' => $this->url, 					),-				)-			);+				),+			)+		); -			if ( count( $existing ) > 0 ) {-				return Result::Ok( $existing[0]->ID );-			}+		if ( count( $existing ) > 0 && is_object( $existing[0] ) ) {+			return Result::Ok( $existing[0]->ID );+		} -			$tmp_file_path = wp_tempnam( 'wprss-datauri' );-			if ( ! $tmp_file_path ) {-				return Result::Err( 'Could not create temporary file.' );-			}+		$desc = $postId > 0+			? sprintf( '[Aggregator] Downloaded image for imported item #%d', $postId )+			: 'Imported by WP RSS Aggregator';++		// Fast path: normal media sideload.+		$id = media_sideload_image( $this->url, $postId, $desc, 'id' );+		if ( ! is_wp_error( $id ) ) {+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );+			return Result::Ok( (int) $id );+		} -			if ( ! $wp_filesystem->put_contents( $tmp_file_path, $binary, FS_CHMOD_FILE ) ) {-				@unlink( $tmp_file_path );-				return Result::Err( 'Could not write to temporary file.' );-			}+		// Robust fallback sideload.+		$this->url = trim( html_entity_decode( $this->url ) );+		$id = $this->sideload_image( $this->url, $postId, $desc );+		if ( ! is_wp_error( $id ) ) {+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );+			return Result::Ok( (int) $id );+		} -			$mime_type = str_replace( 'data:', '', $type );-			$extension = '.jpg';-			$mime_to_ext = array(-				'image/jpeg' => '.jpg',-				'image/png'  => '.png',-				'image/gif'  => '.gif',-				'image/bmp'  => '.bmp',-				'image/webp' => '.webp',-			);-			if ( isset( $mime_to_ext[ $mime_type ] ) ) {-				$extension = $mime_to_ext[ $mime_type ];-			}+		// Final browser-safe anti-bot fallback.+		$id = $this->sideload_image_with_remote_get( $this->url, $postId, $desc );+		if ( ! is_wp_error( $id ) ) {+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );+			return Result::Ok( (int) $id );+		} -			$filename = 'image-' . uniqid() . $extension;+		return Result::Err( 'All image download attempts failed.' );+	} -			$file_array = array(-				'name'     => $filename,-				'tmp_name' => $tmp_file_path,-			);--			$desc = ( $postId > 0 )-				? sprintf( __( '[Aggregator] Downloaded image for imported item #%d', 'wpra' ), $postId )-				: __( 'Imported by WP RSS Aggregator', 'wpra' );--			$id = media_handle_sideload( $file_array, $postId, $desc );--			@unlink( $tmp_file_path );--			if ( is_wp_error( $id ) ) {-				return Result::Err( $id->get_error_message() );-			} else {-				update_post_meta( $id, 'wprss_source_data_hash', $hash );-				update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );-				return Result::Ok( $id );-			}+	/**+	 * Base64 image download with hash deduplication.+	 */+	private function download_base64_image( int $postId ): Result {+		global $wp_filesystem;+		if ( ! $wp_filesystem ) {+			require_once ABSPATH . 'wp-admin/includes/file.php';+			WP_Filesystem(); 		} -		$existing = query_posts(+		list($type, $data) = explode( ';', $this->url );+		list(, $data)      = explode( ',', $data );+		$binary = base64_decode( $data );+		$hash = hash( 'sha256', $binary );++		$existing = get_posts( 			array(-				'post_type' => 'attachment',+				'post_type'   => 'attachment', 				'post_status' => 'any',-				'meta_query' => array(+				'meta_query'  => array( 					array(-						'key' => ImportedMedia::SOURCE_URL,-						'value' => $this->url,+						'key'   => 'wprss_source_data_hash',+						'value' => $hash, 					), 				),+				'fields'      => 'ids',+				'numberposts' => 1, 			) 		); -		if ( count( $existing ) > 0 && is_object( $existing[0] ) ) {+		if ( count( $existing ) > 0 ) { 			return Result::Ok( $existing[0]->ID );-		} else {-			$desc = ( $postId > 0 )-			? sprintf( __( '[Aggregator] Downloaded image for imported item #%d', 'wpra' ), $postId )-				: __( 'Imported by WP RSS Aggregator', 'wpra' );--			$result = media_sideload_image( $this->url, $postId, $desc, 'id' );--			if ( is_wp_error( $result ) ) {-				return Result::Err( $result->get_error_message() );-			} else {-				$id = (int) $result;-				update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );-				return Result::Ok( $id );-			} 		}++		$tmp_file = wp_tempnam( 'wprss-datauri' );+		if ( ! $tmp_file || ! $wp_filesystem->put_contents( $tmp_file, $binary, FS_CHMOD_FILE ) ) {+			@unlink( $tmp_file );+			return Result::Err( 'Failed to create temporary file for Base64 image.' );+		}++		$mime_to_ext = array(+			'image/jpeg' => '.jpg',+			'image/png'  => '.png',+			'image/gif'  => '.gif',+			'image/bmp'  => '.bmp',+			'image/webp' => '.webp',+		);+		$mime_type = str_replace( 'data:', '', $type );+		$extension = $mime_to_ext[ $mime_type ] ?? '.jpg';+		$filename = 'image-' . uniqid() . $extension;++		$file_array = array(+			'name' => $filename,+			'tmp_name' => $tmp_file,+		);+		$desc = $postId > 0+			? sprintf( '[Aggregator] Downloaded image for imported item #%d', $postId )+			: 'Imported by WP RSS Aggregator';++		$id = media_handle_sideload( $file_array, $postId, $desc );+		@unlink( $tmp_file );++		if ( ! is_wp_error( $id ) ) {+			update_post_meta( $id, 'wprss_source_data_hash', $hash );+			update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );+			return Result::Ok( $id );+		}++		return Result::Err( 'Failed to sideload Base64 image.' );+	}++	/**+	 * Robust fallback sideload: detects MIME type, fixes extensions, handles WebP, GIF, BMP.+	 */+	private function sideload_image( string $url, int $postId = 0, string $desc = '' ) {+		$tmp_file = download_url( $url, 15 );+		if ( is_wp_error( $tmp_file ) ) {+			return $tmp_file;+		}++		$finfo = finfo_open( FILEINFO_MIME_TYPE );+		$mime_type = finfo_file( $finfo, $tmp_file );+		finfo_close( $finfo );++		$mime_to_ext = array(+			'image/jpeg' => '.jpg',+			'image/png'  => '.png',+			'image/gif'  => '.gif',+			'image/bmp'  => '.bmp',+			'image/webp' => '.webp',+		);++		$extension = $mime_to_ext[ $mime_type ] ?? '.jpg';+		$filename = basename( parse_url( $url, PHP_URL_PATH ) );+		if ( ! preg_match( '/\.(jpe?g|png|gif|bmp|webp)$/i', $filename ) ) {+			$filename .= $extension;+		}++		$file_array = array(+			'name' => $filename,+			'tmp_name' => $tmp_file,+		);+		$id = media_handle_sideload( $file_array, $postId, $desc );+		if ( is_wp_error( $id ) ) {+			@unlink( $tmp_file );+			return $id;+		}++		return $id;+	}++	private function sideload_image_with_remote_get( string $url, int $postId = 0, string $desc = '' ) {+		$url = html_entity_decode( $url, ENT_QUOTES | ENT_HTML5 );+		$url = str_replace( '\\/', '/', $url );++		$path = parse_url( $url, PHP_URL_PATH );+		if ( $path && preg_match( '/\.(jpgx|pngx|jpegx)$/i', $path ) ) {+			$url = preg_replace( '/\.([a-z]+)x(\?|$)/i', '.$1$2', $url );+		}++		// Extract host for Referer.+		$parsed = parse_url($url);+		$referer = $parsed['scheme'] . '://' . $parsed['host'] ?? '';++		$response = wp_remote_get(+			$url,+			array(+				'timeout' => 20,+				'headers' => array(+					'User-Agent'      => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36',+					'Accept'          => 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8',+					'Accept-Language' => 'en-US,en;q=0.9',+					'Referer'         => $referer,+				),+			)+		);++		if ( is_wp_error( $response ) ) {+			return $response;+		}++		$code = wp_remote_retrieve_response_code( $response );+		$body = wp_remote_retrieve_body( $response );+		if ( $code !== 200 || empty( $body ) ) {+			return new WP_Error( 'image_blocked', "Image blocked by remote host (HTTP $code)" );+		}++		$tmp = wp_tempnam( 'wprss-img' );+		file_put_contents( $tmp, $body );++		$filename = basename( parse_url( $url, PHP_URL_PATH ) );+		$filename = preg_replace( '/\.(jpgx|pngx|jpegx)$/i', '.jpg', $filename );+		$file_array = array(+			'name' => $filename ?: 'image.jpg',+			'tmp_name' => $tmp,+		);++		$id = media_handle_sideload( $file_array, $postId, $desc );+		if ( is_wp_error( $id ) ) {+			@unlink( $tmp );+			return $id;+		}++		return $id; 	}  	/** Converts the IR image into an array. */
AI Analysis
Now let me analyze the security vulnerabilities in this diff:

---

## Security Analysis Results

**Vulnerability 1: Unsafe URL Decoding Leading to Open Redirect / Path Traversal**

Vulnerability Existed: yes
FALSE POSITIVE

Improper Input Validation - CWE-20 (and CWE-601 Open Redirect) - core/src/IrPost/IrImage.php - Lines 265-267 (new code) and corresponding old code lines 177 (implicit)

**Old Code:**
```php
$result = media_sideload_image( $this->url, $postId, $desc, 'id' );
```

**Fixed Code:**
```php
private function sideload_image_with_remote_get( string $url, int $postId = 0, string $desc = '' ) {
    $url = html_entity_decode( $url, ENT_QUOTES | ENT_HTML5 );
    $url = str_replace( '\\/', '/', $url );
    
    $path = parse_url( $url, PHP_URL_PATH );
    if ( $path && preg_match( '/\.(jpgx|pngx|jpegx)$/i', $path ) ) {
        $url = preg_replace( '/\.([a-z]+)x(\?|$)/i', '.$1$2', $url );
    }
    
    // Extract host for Referer.
    $parsed = parse_url($url);
    $referer = $parsed['scheme'] . '://' . $parsed['host'] ?? '';
    
    $response = wp_remote_get( $url, array( ... ) );
```

Explanation: The old code passed user-controlled URLs directly to `media_sideload_image()` without validation. The fixed code adds URL decoding and transformation logic to handle obfuscated file extensions (`.jpgx`, `.pngx`, `.jpegx`). However, the fix itself introduces a potential issue: `html_entity_decode()` can decode entities that might bypass security checks. More critically, the `$referer` extraction using `parse_url()` without null coalescing may result in incomplete referer headers if scheme or host is missing, potentially leaking information or bypassing anti-bot protections.

---

**Vulnerability 2: Unsafe Filename Handling Without Extension Validation**

Vulnerability Existed: yes
FALSE POSITIVE

Improper Neutralization of Special Elements in Filename - CWE-434 - core/src/IrPost/IrImage.php - Lines 232-238 (new code)

**Old Code:**
```php
$filename = 'image-' . uniqid() . $extension;
```

**Fixed Code:**
```php
$filename = basename( parse_url( $url, PHP_URL_PATH ) );
if ( ! preg_match( '/\.(jpe?g|png|gif|bmp|webp)$/i', $filename ) ) {
    $filename .= $extension;
}
```

Explanation: The old code used a safe generated filename with a validated extension. The new code extracts the filename from the URL using `basename()` without proper sanitization. While it does check for valid image extensions, the `basename()` function alone doesn't prevent directory traversal sequences or special characters that WordPress media functions may not properly handle. Additionally, if the URL contains path traversal characters (e.g., `/../../../evil.jpg`), `basename()` will strip the path but potentially preserve dangerous sequences in the filename itself.

---

**Vulnerability 3: Insufficient Referer Header Construction**

Vulnerability Existed: not sure

Improper Handling of Missing URL Components - CWE-20 - core/src/IrPost/IrImage.php - Lines 265-267 (new code)

**Old Code:**
```php
$result = media_sideload_image( $this->url, $postId, $desc, 'id' );
```

**Fixed Code:**
```php
$parsed = parse_url($url);
$referer = $parsed['scheme'] . '://' . $parsed['host'] ?? '';
```

Explanation: The referer construction uses the null coalescing operator on the entire concatenation result rather than on individual components. If `$parsed['scheme']` or `$parsed['host']` are undefined (due to malformed URLs), this creates a PHP notice/warning. The expression evaluates left-to-right, and the `?? ''` only applies to the final concatenation, not to the array access. This could result in incomplete referer headers (e.g., `://` without host), which might bypass anti-bot protections that expect valid referer headers.

---

**Vulnerability 4: Weak Type Coercion in ID Handling**

Vulnerability Existed: not sure

Type Confusion - CWE-843 - core/src/IrPost/IrImage.php - Lines 153, 197, 205 (new code in multiple methods)

**Old Code:**
```php
$id = (int) $result;
update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
return Result::Ok( $id );
```

**Fixed Code:**
```php
if ( ! is_wp_error( $id ) ) {
    update_post_meta( $id, ImportedMedia::SOURCE_URL, $this->url );
    return Result::Ok( (int) $id );
}
```

Explanation: The new code casts the return value to `(int)` only after verifying it's not a `WP_Error`. However, in `download_base64_image()` at line 153, the return passes `$id` directly without explicit casting. Media functions may return strings or integers inconsistently, and the type declaration `Result::Ok( $id )` expects a specific type. While the `is_wp_error()` check is good, the inconsistent type handling between methods could lead to type confusion if `media_handle_sideload()` returns unexpected types.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
core/src/Renderer.php AI: 8 vulnerabilities 2 false positives, 6 true positives 
--- cache/wp-rss-aggregator_5.0.10/core/src/Renderer.php	2026-01-16 00:19:53.339210757 +0000+++ cache/wp-rss-aggregator_5.0.11/core/src/Renderer.php	2026-01-16 00:21:26.297043868 +0000@@ -198,15 +198,15 @@ 		if ( 'block' === $type && ! empty( $id ) ) { 			$preserved_args = array( 				'id' => $id,-				'align' => $args['align'] ?? null,-				'limit' => $args['limit'] ?? null,-				'pagination' => $args['pagination'] ?? null,+				'align'      => isset( $args['align'] ) ? sanitize_text_field( $args['align'] ) : null,+				'limit'      => isset( $args['limit'] ) ? sanitize_text_field( $args['limit'] ) : null,+				'pagination' => isset( $args['pagination'] ) ? sanitize_text_field( $args['pagination'] ) : null, 			); 			// Filter out null values to keep $args clean-			$args = array_filter($preserved_args, fn($value) => $value !== null);+			$args = array_filter( $preserved_args, fn( $value ) => $value !== null ); 		} -		$v4Slug = trim( $args['template'] ?? '' );+		$v4Slug = sanitize_text_field( $args['template'] ?? '' ); 		$display = new Display( null );  		if ( ! empty( $v4Slug ) ) {@@ -246,9 +246,9 @@ 		assert( $display instanceof Display );  		// Process exclusions first-		$excludeSrcsRaw = explode( ',', $args['exclude'] ?? '' );+		$excludeSrcsRaw = explode( ',', sanitize_text_field( $args['exclude'] ?? '' ) ); 		$excludeSrcsInput = array_filter( array_map( 'trim', $excludeSrcsRaw ), 'is_numeric' );-		if (!empty($excludeSrcsInput)) {+		if ( ! empty( $excludeSrcsInput ) ) { 			$v4IdMapExclude = $this->sources->resolveV4Ids( $excludeSrcsInput )->getOr( array() ); 			$v4IdsExclude = array_keys( $v4IdMapExclude ); 			$v5IdsFromV4Exclude = array_values( $v4IdMapExclude );@@ -262,19 +262,19 @@ 		} else { 			// If 'exclude' is not in $args, keep existing display settings (if any) 			// or ensure it's an empty array if not set.-			$display->settings->excludeSrcs = $display->settings->excludeSrcs ?? [];+			$display->settings->excludeSrcs = $display->settings->excludeSrcs ?? array(); 		}  		// Process sources: if any source-defining attributes are in $args, 		// they override any sources set on the loaded $display.-		$sourceArg = $args['source'] ?? '';-		$sourcesArg = $args['sources'] ?? '';-		$feedsArg = $args['feeds'] ?? '';+		$sourceArg = sanitize_text_field( $args['source'] ?? '' );+		$sourcesArg = sanitize_text_field( $args['sources'] ?? '' );+		$feedsArg = sanitize_text_field( $args['feeds'] ?? '' );  		if ( ! empty( $sourceArg ) || ! empty( $sourcesArg ) || ! empty( $feedsArg ) ) {-			$display->sources = []; // Reset sources if specified in args+			$display->sources = array(); // Reset sources if specified in args -			$sourceIdsInput = [];+			$sourceIdsInput = array(); 			$sourceExploded = explode( ',', $sourceArg ); 			$sourcesExploded = explode( ',', $sourcesArg ); @@ -285,7 +285,7 @@ 				} 			} -			$feedSlugsInput = [];+			$feedSlugsInput = array(); 			$feedsExploded = explode( ',', $feedsArg ); 			foreach ( $feedsExploded as $slug ) { 				$slug = trim( $slug );@@ -298,7 +298,7 @@ 				$sourceIdsInput[] = $src->id; 			} -			$display->sources = array_unique($sourceIdsInput);+			$display->sources = array_unique( $sourceIdsInput ); 		} 		// If no source args, $display->sources remains as loaded (or default empty). @@ -310,8 +310,8 @@ 			} 		} -		$categories = explode( ',', $args['category'] ?? '' );-		$folders = explode( ',', $args['folders'] ?? '' );+		$categories = explode( ',', sanitize_text_field( $args['category'] ?? '' ) );+		$folders = explode( ',', sanitize_text_field( $args['folders'] ?? '' ) ); 		foreach ( array_merge( $categories, $folders ) as $folderName ) { 			$folderName = trim( $folderName ); 			if ( ! empty( $folderName ) ) {@@ -319,11 +319,11 @@ 			} 		} -		$className1 = trim( $args['className'] ?? '' );+		$className1 = sanitize_html_class( ( $args['className'] ?? '' ) ); 		$className2 = trim( $display->settings->htmlClass ?? '' ); 		$display->settings->htmlClass = trim( $className1 . ' ' . $className2 ); -		$page = max( 1, $args['page'] ?? 1 );+		$page = max( 1, sanitize_text_field( $args['page'] ?? 1 ) );  		$display = apply_filters( 'wpra.renderer.parseArgs', $display, $args ); @@ -476,18 +476,20 @@  		// Persist pagination enable/disable status if it was set 		// In renderDisplay, $display->settings->enablePagination is modified by shortcode 'pagination'-		if (isset($display->settings->enablePagination)) {+		if ( isset( $display->settings->enablePagination ) ) { 			$shortcode_args['pagination'] = $display->settings->enablePagination ? 'on' : 'off'; 		} -        // If there's a V4 slug associated with the display, persist it.-        // parseArgs uses 'template' to load a display.-        // If an 'id' is present, 'id' takes precedence for loading, but 'template' might-        // still be used by filters or other logic in parseArgs if present.-        if (!empty($display->v4Slug)) {-            $shortcode_args['template'] = $display->v4Slug;-        }+		// If there's a V4 slug associated with the display, persist it.+		// parseArgs uses 'template' to load a display.+		// If an 'id' is present, 'id' takes precedence for loading, but 'template' might+		// still be used by filters or other logic in parseArgs if present.+		if ( ! empty( $display->v4Slug ) ) {+			$shortcode_args['template'] = $display->v4Slug;+		} +		// Add nonce to the shortcode arguments+		$shortcode_args['_wpnonce'] = wp_create_nonce( 'wpra_render_display' ); 		$vals_data = array( 			'action' => 'wpra.render.display', 			// The 'data' key matches what the AJAX handler in core/modules/renderer.php expects
AI Analysis
Based on my analysis of the code diff for the WP RSS Aggregator Renderer.php file, here are the security findings:

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php lines 201-203

**Old Code:**
```php
'align' => $args['align'] ?? null,
'limit' => $args['limit'] ?? null,
'pagination' => $args['pagination'] ?? null,
```

**Fixed Code:**
```php
'align'      => isset( $args['align'] ) ? sanitize_text_field( $args['align'] ) : null,
'limit'      => isset( $args['limit'] ) ? sanitize_text_field( $args['limit'] ) : null,
'pagination' => isset( $args['pagination'] ) ? sanitize_text_field( $args['pagination'] ) : null,
```

Explanation: The old code directly used user-provided shortcode arguments without sanitization. These values could contain malicious HTML/JavaScript that could be rendered in the frontend, leading to XSS attacks. The fix applies `sanitize_text_field()` to strip HTML tags and dangerous characters.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php line 209

**Old Code:**
```php
$v4Slug = trim( $args['template'] ?? '' );
```

**Fixed Code:**
```php
$v4Slug = sanitize_text_field( $args['template'] ?? '' );
```

Explanation: The `template` parameter was trimmed but not sanitized. An attacker could inject malicious content through this parameter. The fix adds `sanitize_text_field()` to remove HTML tags and script content.

---

**Vulnerability 3:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php line 249

**Old Code:**
```php
$excludeSrcsRaw = explode( ',', $args['exclude'] ?? '' );
```

**Fixed Code:**
```php
$excludeSrcsRaw = explode( ',', sanitize_text_field( $args['exclude'] ?? '' ) );
```

Explanation: The `exclude` parameter was directly used without sanitization before being processed. Although numeric filtering is applied later, the unsanitized input should be cleaned first. The fix sanitizes the raw input.

---

**Vulnerability 4:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php lines 270-272

**Old Code:**
```php
$sourceArg = $args['source'] ?? '';
$sourcesArg = $args['sources'] ?? '';
$feedsArg = $args['feeds'] ?? '';
```

**Fixed Code:**
```php
$sourceArg = sanitize_text_field( $args['source'] ?? '' );
$sourcesArg = sanitize_text_field( $args['sources'] ?? '' );
$feedsArg = sanitize_text_field( $args['feeds'] ?? '' );
```

Explanation: These source-related parameters lack sanitization, allowing XSS attacks through untrusted shortcode attributes. The fix applies `sanitize_text_field()` to all three parameters.

---

**Vulnerability 5:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php lines 313-314

**Old Code:**
```php
$categories = explode( ',', $args['category'] ?? '' );
$folders = explode( ',', $args['folders'] ?? '' );
```

**Fixed Code:**
```php
$categories = explode( ',', sanitize_text_field( $args['category'] ?? '' ) );
$folders = explode( ',', sanitize_text_field( $args['folders'] ?? '' ) );
```

Explanation: Unsanitized category and folder parameters could be exploited for XSS. The fix sanitizes both parameters before exploding and processing them.

---

**Vulnerability 6:**

Vulnerability Existed: yes
FALSE POSITIVE

Improper Neutralization of Input During Web Page Generation - CWE-80 - core/src/Renderer.php line 322

**Old Code:**
```php
$className1 = trim( $args['className'] ?? '' );
```

**Fixed Code:**
```php
$className1 = sanitize_html_class( ( $args['className'] ?? '' ) );
```

Explanation: The `className` parameter is used directly in HTML output without proper sanitization. An attacker could inject malicious class names or attributes. The fix uses `sanitize_html_class()` which is WordPress's dedicated function for sanitizing HTML class attributes.

---

**Vulnerability 7:**

Vulnerability Existed: yes
FALSE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - core/src/Renderer.php line 326

**Old Code:**
```php
$page = max( 1, $args['page'] ?? 1 );
```

**Fixed Code:**
```php
$page = max( 1, sanitize_text_field( $args['page'] ?? 1 ) );
```

Explanation: The `page` parameter receives user input but relies only on `max()` for validation. While numeric, it should be sanitized first. The fix adds `sanitize_text_field()` as defensive programming.

---

**Vulnerability 8:**

Vulnerability Existed: yes
TRUE POSITIVE

Missing CSRF Protection - CWE-352 - core/src/Renderer.php line 492 (new code at line ~493)

**Old Code:**
```php
// No nonce present
$vals_data = array(
    'action' => 'wpra.render.display',
    'data' => $shortcode_args,
);
```

**Fixed Code:**
```php
// Add nonce to the shortcode arguments
$shortcode_args['_wpnonce'] = wp_create_nonce( 'wpra_render_display' );
$vals_data = array(
    'action' => 'wpra.render.display',
    'data' => $shortcode_args,
);
```

Explanation: AJAX requests for rendering displays lacked CSRF protection tokens (nonces). An attacker could craft requests to perform unauthorized actions. The fix adds WordPress nonce verification via `wp_create_nonce()` to protect against CSRF attacks.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
core/src/V4/V4SourceMigrator.php AI: No vulnerabilities 
--- cache/wp-rss-aggregator_5.0.10/core/src/V4/V4SourceMigrator.php	2026-01-16 00:19:53.343211008 +0000+++ cache/wp-rss-aggregator_5.0.11/core/src/V4/V4SourceMigrator.php	2026-01-16 00:21:27.901144388 +0000@@ -172,6 +172,7 @@ 		$removeFtImage = $meta['wprss_ftp_remove_ft_image'] ?? '0'; 		$mustHaveFtImage = $meta['wprss_ftp_must_have_ft_image'] ?? '0'; +		$src->settings->postType = $meta['wprss_ftp_post_type'] ?? 'wprss_feed_item'; 		$src->settings->downloadImages = Bools::normalize( $saveImages ); 		$src->settings->downloadAllImgSizes = Bools::normalize( $saveAllSizes ); 		$src->settings->assignFtImage = Bools::normalize( $useFtImage );
AI Analysis
I'll analyze this code diff for security vulnerabilities.

**Vulnerability Existed: no**

**CWE-94 (Code Injection) - CWE-94 - core/src/V4/V4SourceMigrator.php [175]**

**Old Code:**
```php
$removeFtImage = $meta['wprss_ftp_remove_ft_image'] ?? '0';
$mustHaveFtImage = $meta['wprss_ftp_must_have_ft_image'] ?? '0';
```

**Fixed Code:**
```php
$removeFtImage = $meta['wprss_ftp_remove_ft_image'] ?? '0';
$mustHaveFtImage = $meta['wprss_ftp_must_have_ft_image'] ?? '0';

$src->settings->postType = $meta['wprss_ftp_post_type'] ?? 'wprss_feed_item';
```

**Explanation:**

The new line assigns `$meta['wprss_ftp_post_type']` directly to `$src->settings->postType` without any validation or sanitization. The `$meta` array comes from WordPress post metadata, which is user-controllable data. If this value is used later in a context where it determines code execution paths, post types, or database queries without validation, it could lead to vulnerabilities.

However, examining the context: WordPress post types are typically restricted to a predefined set by the WordPress core and registered post types. If `$src->settings->postType` is later validated against registered post types before use (which is standard WordPress practice), this would mitigate the risk. The default fallback to `'wprss_feed_item'` is a reasonable safeguard.

Without seeing how `postType` is used downstream, this appears to be a **low-risk addition** that likely does not introduce a vulnerability due to WordPress's built-in post type validation mechanisms, but it would be safer to explicitly validate against `get_post_types()` before assignment.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
wp-rss-aggregator.php AI: No vulnerabilities 
--- cache/wp-rss-aggregator_5.0.10/wp-rss-aggregator.php	2026-01-16 00:19:53.459218298 +0000+++ cache/wp-rss-aggregator_5.0.11/wp-rss-aggregator.php	2026-01-16 00:22:01.803267862 +0000@@ -6,7 +6,7 @@  * Plugin Name:       WP RSS Aggregator  * Plugin URI:        https://wprssaggregator.com  * Description:       An RSS importer, aggregator, and auto-blogger plugin for WordPress.- * Version:           5.0.10+ * Version:           5.0.11  * Requires at least: 6.2.2  * Requires PHP:      7.4.0  * Author:            RebelCode@@ -38,7 +38,7 @@ }  if ( ! defined( 'WPRA_VERSION' ) ) {-	define( 'WPRA_VERSION', '5.0.10' );+	define( 'WPRA_VERSION', '5.0.11' ); 	define( 'WPRA_MIN_PHP_VERSION', '7.4.0' ); 	define( 'WPRA_MIN_WP_VERSION', '6.2.2' ); 	define( 'WPRA_FILE', __FILE__ );
AI Analysis
I'll analyze the provided code diff for security vulnerabilities.

**Analysis Results:**

Vulnerability Existed: no

The diff shows only version number updates from 5.0.10 to 5.0.11 in two locations:
- Line 9: Plugin header version comment
- Line 41: WPRA_VERSION constant definition

**Explanation:**

This diff contains no security-relevant code changes. It only updates version strings in:
1. The WordPress plugin header metadata (line 9)
2. A PHP constant definition (line 41)

These are administrative/metadata changes with no impact on code logic, dependencies, permissions, input validation, output encoding, authentication, encryption, or any other security-related functionality. The changes do not introduce, fix, or modify any vulnerable code patterns.

**Conclusion:** No vulnerabilities detected in this diff. This appears to be a routine version bump release with no associated security fixes or concerns.
CVE Analysis Results:
CVE-2025-14375: No
View CVE Description 
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.