Unauthorized Data Modification in Feedzy RSS Aggregator Plugin for WordPress
CVE-2024-1318

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Rss Aggregator By Feedzy – Feed To Post, Autoblogging, News & Youtube Video Feeds Aggregator
Vendor: CVE Published:; 29 February 2024

What is CVE-2024-1318?

The Feedzy RSS Aggregator plugin for WordPress contains a significant vulnerability that allows authenticated users, specifically those with Contributor privileges and above, to bypass intended restrictions. Due to missing capability checks in the 'feedzy_wizard_step_process' and 'import_status' functions, these users are able to draft and publish posts with arbitrary content, undermining the integrity of the site's content management. This issue affects all versions up to and including 4.4.2, and underscores the importance of implementing robust access controls to prevent unauthorized modifications.

Affected Version(s)

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator * <= 4.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/feedzy-rss-fee...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Feb 7, 2024

Credit

Lucio Sá