Blind Server-Side Request Forgery in RSS Aggregator by Feedzy for WordPress
CVE-2025-11467

5.8MEDIUM

Key Information:

Vendor: WordPress
Status: Rss Aggregator By Feedzy – Feed To Post, Autoblogging, News & Youtube Video Feeds Aggregator
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-11467?

The RSS Aggregator plugin by Feedzy, utilized in WordPress for managing feeds, is susceptible to Blind Server-Side Request Forgery. This vulnerability affects all versions up to and including 5.1.1 through the feedzy_lazy_load function, allowing unauthorized attackers to manipulate web requests originating from the application. Such exploitation could lead to unauthorized queries and alterations of sensitive information from internal services, posing a significant risk to application security.

Affected Version(s)

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator * <= 5.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/feedzy-rss-fee...

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Oct 7, 2025

Credit

Lucas Montes

JSON