RSS Aggregator by Feedzy Vulnerability – Missing Authorization – CVE-2023-6798 | WordPress Plugin Vulnerability Report
Plugin Name: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Key Information:
- Software Type: Plugin
- Software Slug: feedzy-rss-feeds
- Software Status: Active
- Software Author: themeisle
- Software Downloads: 1,986,458
- Active Installs: 50,000
- Last Updated: January 5, 2024
- Patched Versions: 4.3.3
- Affected Versions: <= 4.3.2
Vulnerability Details:
- Name: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2
- Title: Missing Authorization
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2023-6798
- CVSS Score: 5.4
- Publicly Published: January 5, 2024
- Researcher: Colin Xu
- Description: The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings including proxy settings, which are also exposed to authors.
Summary:
The RSS Aggregator by Feedzy plugin for WordPress has a vulnerability in versions up to and including 4.3.2 that allows authenticated attackers with author-level access or above to perform unauthorized settings updates, including proxy settings. This vulnerability has been patched in version 4.3.3.
Detailed Overview:
The vulnerability arises from a missing capability check when updating settings, allowing authenticated attackers with author-level access or above to change various plugin settings, including sensitive proxy settings exposed to authors. The risk involves potential unauthorized modification of plugin configurations. To address this vulnerability, users are strongly advised to update to version 4.3.3.
Advice for Users:
- Immediate Action: Update the RSS Aggregator by Feedzy plugin to version 4.3.3 or later.
- Check for Signs of Vulnerability: Review the plugin settings for any unauthorized modifications, especially in proxy settings.
- Alternate Plugins: Consider using alternative plugins that offer similar functionality as a precaution.
- Stay Updated: Regularly update your WordPress plugins to the latest versions to avoid vulnerabilities.
Conclusion:
The swift response from the RSS Aggregator by Feedzy developers to patch this vulnerability emphasizes the importance of timely updates. Users are advised to ensure that they are running version 4.3.3 or later to secure their WordPress installations.
References:
- Wordfence Threat Intelligence - RSS Aggregator by Feedzy Vulnerability
- Wordfence Threat Intelligence - WordPress Plugins Vulnerabilities
Simplifying Website Security for Busy Owners
As a busy website owner without ample time to stay on top of every threat, keeping your site secure can feel impossible. But vulnerabilities like the one recently patched in the popular RSS Aggregator plugin only reinforce why vigilance matters. In this post I’ll simplify security by clearly explaining the vulnerability, your risk level, and actionable ways to lock down your website in minutes.
Understanding the RSS Aggregator Vulnerability
RSS Aggregator by Feedzy helps over 50,000 WordPress users automatically convert feeds into posts, pages, and more. This week a security researcher disclosed a vulnerability in versions up to 4.3.2 enabling some authenticated users to modify settings without authorization.
Specifically, the bug stems from a capability check missing when updating settings. Users with author access and above could exploit this to change sensitive proxy settings and other configurations they should not control. Attackers could leverage this to redirect traffic, inject ads, or enable unwanted capabilities.
The developers have now released version 4.3.3 to fully fix the vulnerability, scoring a moderate 5.4 CVSS severity rating due to limiting the affected user roles. Still, RSS Aggregator users face unnecessary risk until updating.
Assessing Your Site’s Risk Level
While branded moderately severe rather than extremely critical, the vulnerability still poses unnecessary website risks from unexpected functionality changes. Attackers could leverage new proxy settings to silently intercept traffic, analytics to steal insights, or import configurations adding vulnerabilities.
The good news is sites fully restricting author permissions likely face minimal real-world risk even before patching. But everyone should still update regardless since the settings modification vector exists without good reason. Eliminating unnecessary exposure keeps your site safer.
Updating to Eliminate the Vulnerability
If RSS Aggregator is active on your WordPress site, you should:
- Immediately update to v4.3.3, which specifically repairs this bug by adding capability checking.
- Check all plugin settings for anything modified without approval.
- Consider temporarily disabling the plugin until assessing the risk.
- Restrict author permissions to only those config changes legitimately needed.
Staying Secure Long-Term
RSS Aggregator has faced 3 previous vulnerabilities over the past few years, indicating systemic issues around access controls. From arbitrary surveys to remote code execution, threats inevitably arise without diligent auditing and patching.
As tempting as neglecting security feels for overloaded owners, a well-hardened site takes little effort:
- Enable automatic background updates for plugins to remove the manual chore.
- Minimize plugins and themes to only reputable options essential for your needs.
- Leverage managed WordPress hosts handling technical tasks like updates for you.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.