RSS Aggregator by Feedzy Vulnerability– Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator – Missing Authorization to Arbitrary Page Creation and Publication – CVE-2024-1318 | WordPress Plugin Vulnerability Report
Plugin Name: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Key Information:
- Software Type: Plugin
- Software Slug: feedzy-rss-feeds
- Software Status: Active
- Software Author: themeisle
- Software Downloads: 2,093,546
- Active Installs: 50,000
- Last Updated: February 13, 2024
- Patched Versions: 4.4.3
- Affected Versions: <= 4.4.2
Vulnerability Details:
- Name: RSS Aggregator by Feedzy <= 4.4.2
- Title: Missing Authorization to Arbitrary Page Creation and Publication
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- CVE: CVE-2024-1318
- CVSS Score: 6.5
- Publicly Published: February 9, 2024
- Researcher: Lucio Sá
- Description: The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content.
Summary:
The RSS Aggregator by Feedzy plugin for WordPress has a vulnerability in versions up to and including 4.4.2 that allows for unauthorized modification of data due to missing capability checks. This vulnerability has been patched in version 4.4.3.
Detailed Overview:
This vulnerability was discovered by researcher Lucio Sá and publicly published on February 9, 2024. It affects all versions of the plugin up to 4.4.2. Due to insufficient capability checks on certain functions within the plugin, authenticated users with Contributor level access or higher can bypass restrictions and draft or publish pages with arbitrary content, an action typically restricted to higher-level roles. This exposes sites to potential unauthorized content publication, which can lead to misinformation or malicious content being distributed through affected websites.
Advice for Users:
- Immediate Action: Users of the RSS Aggregator by Feedzy plugin should immediately update to the patched version 4.4.3 to mitigate this vulnerability.
- Check for Signs of Vulnerability: Administrators should review their site for any unauthorized or suspicious pages that may have been created or published.
- Alternate Plugins: While a patch is available, considering alternative plugins offering similar functionality might be a wise precaution.
- Stay Updated: Ensure that all plugins, not just RSS Aggregator by Feedzy, are regularly updated to their latest versions to avoid potential vulnerabilities.
Conclusion:
The swift action taken by the developers of RSS Aggregator by Feedzy to release a patch for this vulnerability underscores the critical nature of keeping software up to date. Users are strongly advised to update to version 4.4.3 or later to protect their WordPress installations from potential exploits.