WordPress Plugin Vulnerabilities

RSS Aggregator by Feedzy < 4.3.3 - Missing Authorization

Description

The plugin is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings including proxy settings, which are also exposed to authors.

Affects Plugins

Plugin icon
feedzy-rss-feeds
Fixed in 4.3.3

References

CVE
CVE-2023-6798
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2cdf4e5-0a40-42ca-b5ac-78511fdd2b77

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Colin Xu
Verified
No
WPVDB ID
750fdb94-6bc4-498b-a4ed-1a3c8d9cb479

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-12 (about 2 years ago)
Last Updated
2024-01-12 (about 2 years ago)

Other

Published
Title
Published
2024-03-21
Title
WP Compress – Image Optimizer < 6.11.11 - Missing Authorization to Unauthenticated CDN Modification
Published
2023-07-10
Title
Buy Me a Coffee – Button and Widget Plugin < 3.8 - Subscriber+ Unauthorized Data Modification
Published
2026-02-09
Title
Cartify - WooCommerce Gutenberg WordPress <= 1.3 - Authenticated (Subscriber+) Arbitrary Post Deletion
Published
2025-12-15
Title
Simple Link Directory < 8.8.4 - Missing Authorization
Published
2025-10-19
Title
ListingPro Lead Form <= 1.0.2 - Missing Authorization