WordPress Plugin Vulnerabilities

WP RSS Aggregator < 4.23.12 - Missing Authorization to Authenticated (Subscriber+) Feed State Update

Description

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds.

Affects Plugins

Plugin icon
wp-rss-aggregator
Fixed in 4.23.12

References

CVE
CVE-2024-6621
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e37331b-0b75-41ee-b390-532efd674cc1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
6af94c51-2555-4d02-b842-7dbb9c40bc55

Timeline

Publicly Published
2024-07-15 (about 1 year ago)
Added
2024-07-15 (about 1 year ago)
Last Updated
2024-07-16 (about 1 year ago)

Other

Published
Title
Published
2024-05-22
Title
Atarim < 3.30 - Unauthenticated Settings Update, Post Deletion etc
Published
2024-06-06
Title
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery < 1.4.6 - Missing Authorization
Published
2025-12-11
Title
URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload
Published
2025-05-09
Title
Lead Form Data Collection to CRM < 3.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2023-12-12
Title
CAOS < 4.7.15 - Unauthenticated Settings Update