RSS Aggregator by Feedzy Vulnerability– Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator – Missing Authorization to Arbitrary Page Creation and Publication – CVE-2024-1318 | WordPress Plugin Vulnerability Report

Plugin Name: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Key Information:

  • Software Type: Plugin
  • Software Slug: feedzy-rss-feeds
  • Software Status: Active
  • Software Author: themeisle
  • Software Downloads: 2,093,546
  • Active Installs: 50,000
  • Last Updated: February 13, 2024
  • Patched Versions: 4.4.3
  • Affected Versions: <= 4.4.2

Vulnerability Details:

  • Name: RSS Aggregator by Feedzy <= 4.4.2
  • Title: Missing Authorization to Arbitrary Page Creation and Publication
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE: CVE-2024-1318
  • CVSS Score: 6.5
  • Publicly Published: February 9, 2024
  • Researcher: Lucio Sá
  • Description: The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content.

Summary:

The RSS Aggregator by Feedzy plugin for WordPress has a vulnerability in versions up to and including 4.4.2 that allows for unauthorized modification of data due to missing capability checks. This vulnerability has been patched in version 4.4.3.

Detailed Overview:

This vulnerability was discovered by researcher Lucio Sá and publicly published on February 9, 2024. It affects all versions of the plugin up to 4.4.2. Due to insufficient capability checks on certain functions within the plugin, authenticated users with Contributor level access or higher can bypass restrictions and draft or publish pages with arbitrary content, an action typically restricted to higher-level roles. This exposes sites to potential unauthorized content publication, which can lead to misinformation or malicious content being distributed through affected websites.

Advice for Users:

  • Immediate Action: Users of the RSS Aggregator by Feedzy plugin should immediately update to the patched version 4.4.3 to mitigate this vulnerability.
  • Check for Signs of Vulnerability: Administrators should review their site for any unauthorized or suspicious pages that may have been created or published.
  • Alternate Plugins: While a patch is available, considering alternative plugins offering similar functionality might be a wise precaution.
  • Stay Updated: Ensure that all plugins, not just RSS Aggregator by Feedzy, are regularly updated to their latest versions to avoid potential vulnerabilities.

Conclusion:

The swift action taken by the developers of RSS Aggregator by Feedzy to release a patch for this vulnerability underscores the critical nature of keeping software up to date. Users are strongly advised to update to version 4.4.3 or later to protect their WordPress installations from potential exploits.

References:

In today's fast-paced digital landscape, the security of your online presence is non-negotiable. A recent discovery in the WordPress ecosystem serves as a critical reminder of this fact. The popular RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin, utilized by over 50,000 websites and downloaded more than 2 million times, was found to have a significant vulnerability labeled CVE-2024-1318. This security flaw allowed unauthorized page creation and publication, presenting a clear and present danger to the integrity and safety of countless websites.

About the Plugin:

RSS Aggregator by Feedzy is a widely used WordPress plugin developed by Themeisle, designed to aggregate various RSS feeds into posts or pages, facilitating autoblogging and content curation. Its functionality makes it a favorite among site owners looking to streamline content processes. However, the very tool that offers efficiency and automation also became a point of vulnerability.

Details of the Vulnerability:

Identified by researcher Lucio Sá and publicly disclosed on February 9, 2024, the vulnerability arose from insufficient capability checks within the plugin's 'feedzy_wizard_step_process' and 'import_status' functions. This oversight meant that users with just Contributor-level access could exploit this gap to draft and publish pages with arbitrary content, a capability typically reserved for roles with higher privileges. The vulnerability, rated with a CVSS score of 6.5, affects all plugin versions up to and including 4.4.2.

Risks and Potential Impacts:

The implications of CVE-2024-1318 are far-reaching. Unauthorized content publication can lead to the spread of misinformation, damage to brand reputation, and potentially even legal ramifications if malicious content is disseminated. For small businesses relying on their WordPress sites for operations, customer engagement, and sales, such vulnerabilities can be particularly damaging.

Remediation Steps:

To address this vulnerability, the plugin developers released a patched version, 4.4.3. Site owners are urged to update to this latest version immediately to close the security gap. Additionally, reviewing site content for any unauthorized changes and considering alternative plugins with robust security measures can further enhance site safety.

Previous Vulnerabilities:

This is not the first time vulnerabilities have been identified in the RSS Aggregator by Feedzy plugin. Since September 16, 2020, seven other security issues have been reported, highlighting the ongoing battle against digital threats and the importance of continuous vigilance.

Conclusion:

For small business owners, the challenge of staying abreast of every security update and vulnerability may seem daunting, especially when time and resources are limited. However, the consequences of neglecting these aspects can be dire. Implementing a routine check for updates, utilizing security plugins, and perhaps most importantly, partnering with a reliable digital security service can mitigate these risks. The recent RSS Aggregator by Feedzy vulnerability serves as a stark reminder that in the digital realm, proactive security measures are not just advisable; they are essential for safeguarding your business and your customers.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

RSS Aggregator by Feedzy Vulnerability– Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator – Missing Authorization to Arbitrary Page Creation and Publication – CVE-2024-1318 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment