Premium Support Requests Vulnerability in RSS Aggregator Plugin
CVE-2024-9583

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Rss Aggregator – Rss Import, News Feeds, Feed To Post, And Autoblogging
Vendor: CVE Published:; 23 October 2024

Summary

The RSS Aggregator plugin for WordPress has a serious security flaw due to a lack of proper capability checks in its AJAX function, specifically on the 'wprss_ajax_send_premium_support'. This vulnerability allows authenticated users, with a minimum of Subscriber-level permissions, to send misleading premium support requests using their own chosen subject lines and email addresses. As a result, attackers can effectively impersonate legitimate site owners, which could lead to unauthorized access or disclosure of sensitive license information associated with the site. All versions of the plugin up to and including version 4.23.12 are affected by this vulnerability, highlighting the necessity for prompt updates and increased scrutiny of user permissions.

Affected Version(s)

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging * <= 4.23.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-rss-aggrega...

https://plugins.trac.wordpress.org/changeset/3168468/wp-r...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 23, 2024
Vulnerability Reserved
Oct 7, 2024

Credit

tptNhan