Feedzy RSS Feeds Lite < 5.1.1 – Authenticated (Subscriber+) Server-Side Request Forgery | CVE 2025-11128 | Plugin Vulnerabilities

Description

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.

Affects Plugins

feedzy-rss-feeds

Fixed in 5.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c33ec58f-3e83-425a-9f0f-5e529be15e05

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lucas Montes (Nirox)

Verified

No

WPVDB ID

496159f7-a7bc-45dd-9341-79eaab806c47

Timeline

Publicly Published

2025-10-22 (about 5 months ago)

Added

2025-10-23 (about 5 months ago)

Last Updated

2025-10-23 (about 5 months ago)

Other

Published

Title

Published

2025-08-27

Title

Solace Extra < 1.3.3 - Authenticated (Admin+) Server-Side Request Forgery

Published

2026-03-20

Title

Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

Published

2024-03-29

Title

Nelio Content < 3.2.1 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2023-08-15

Title

WP Remote Users Sync < 1.2.13 - Subscriber+ SSRF

Published

2025-10-17

Title

Essential Blocks < 5.7.2 - Authenticated (Author+) Server-Side Request Forgery