CVE-2025-6382: 
WordPress vulnerability analysis and mitigation

The Taeggie Feed plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6382) that affects all versions up to and including 0.1.10. The vulnerability was discovered and reported by Wordfence, with the initial disclosure occurring on July 24, 2025 (NVD CVE).

The vulnerability exists in the plugin's render() method, which improperly handles the user-supplied name attribute in the taeggie-feed shortcode. The method directly injects the attribute value into a script tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD CVE).

The plugin has been temporarily closed as of July 22, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).