Unauthorized Settings Update in RSS Aggregator Plugin by Feedzy for WordPress
CVE-2023-6798

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vendor: CVE Published:; 6 January 2024

Summary

The RSS Aggregator by Feedzy plugin for WordPress is susceptible to unauthorized settings updates due to a lack of necessary capability checks. This vulnerability affects all versions up to and including 4.3.2, allowing authenticated attackers with author-level access or higher to manipulate plugin settings, including potentially sensitive proxy configurations. Such unauthorized modifications could lead to severe security implications for the affected site.

Affected Version(s)

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator * <= 4.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 6, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Colin Xu