PT-2024-17938 · WordPress · The Rss Aggregator By Feedzy – Feed To Post
Lucio Sá
·
Published
2024-02-20
·
Updated
2024-12-31
·
CVE-2024-1318
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress versions up to, and including, 4.4.2
Description
The issue allows authenticated attackers with Contributor access and above to draft and publish posts with arbitrary content due to a missing capability check on the
feedzy wizard step process and import status functions. This enables them to bypass normal restrictions, which typically only allow them to create posts rather than pages.Recommendations
For versions up to, and including, 4.4.2, update to a version that includes a fix for the missing capability check on the
feedzy wizard step process and import status functions to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to these functions to prevent exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Rss Aggregator By Feedzy – Feed To Post