WordPress Plugin Vulnerabilities

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 4.4.2 - Missing Authorization

Description

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.

Affects Plugins

Plugin icon
feedzy-rss-feeds
Fixed in 4.4.2

References

CVE
CVE-2024-1092
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/98053141-fe97-4bd4-b820-b6cca3426109

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
52061160-804b-4dec-99dc-94aec0a87e4d

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-09 (about 2 years ago)
Last Updated
2024-02-09 (about 2 years ago)

Other

Published
Title
Published
2026-01-19
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy < 4.2.5 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure
Published
2021-09-01
Title
Gutenberg Template Library & Redux Framework < 4.2.13 - Contributor+ Arbitrary Plugin Installation and Post Deletion
Published
2021-01-28
Title
uListing < 1.7 - Missing Access Controls
Published
2022-07-26
Title
WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure
Published
2024-08-07
Title
Premium Addons for Elementor < 4.10.39 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update