As you may know quite recently there was news that WordPress plugins could suffer from a XSS vulnerability if they use add_query_arg() and remove_query_arg() without properly sanitizing the data. When the optional third parameter of these functions is omitted, $_SERVER['REQUEST_URI'] is used unescaped, more info here.
Checking your source it seems the functions are used in the following lines of feedwordpress.php:
I am not actually sure if FeedWordPress is vulnerable but I think it should be looked at and esc_url() or esc_raw_url() be added.
As you may know quite recently there was news that WordPress plugins could suffer from a XSS vulnerability if they use
add_query_arg()andremove_query_arg()without properly sanitizing the data. When the optional third parameter of these functions is omitted,$_SERVER['REQUEST_URI']is used unescaped, more info here.Checking your source it seems the functions are used in the following lines of feedwordpress.php:
I am not actually sure if FeedWordPress is vulnerable but I think it should be looked at and
esc_url()oresc_raw_url()be added.