Vulnerabilities and security researches forfeedzy-rss-feeds feedzy-rss-feeds
Direction: ascendingRSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2021-4342
- CVE, Research URL
-
-
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Jun 07, 2023
- Research Description
- Rejected reason: CVE split into individual CVE IDs for each software record.
- Affected versions
-
max 3.4.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2020-36758
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Oct 20, 2023
- Research Description
- The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2. This is due to missing or incorrect nonce validation on the save_feedzy_post_type_meta() function. This makes it possible for unauthenticated attackers to update post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 3.4.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2023-6801
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Jan 06, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.3.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2024-1317
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Feb 29, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 4.4.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # a84915d323f40fb703c7324f068ffedd71b1483c
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Sep 16, 2020
- Research Description
- RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator [feedzy-rss-feeds] < 3.4.3 (closed) WordPress RSS Aggregator by Feedzy plugin <= 3.4.2 - Cross-Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability found by Jerome Bruandet (NinTechNet) in WordPress RSS Aggregator by Feedzy plugin (versions <= 3.4.2).
- Affected versions
-
max 3.4.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2022-4667
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Jan 31, 2023
- Research Description
- The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
- Affected versions
-
max 4.1.1.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2023-6805
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Apr 17, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitable by contributor-level users, was was fixed in version 4.4.7. The same vulnerability was fixed for author-level users in version 4.4.8.
- Affected versions
-
max 4.4.8.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2023-6798
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Jan 06, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings including proxy settings, which are also exposed to authors.
- Affected versions
-
max 4.4.2.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2024-1092
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Feb 06, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.
- Affected versions
-
max 4.4.2.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2023-6877
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Apr 07, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.3.3 due to insufficient input sanitization and output escaping on the Content-Type field of error messages when retrieving an invalid RSS feed. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.3.4.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2024-1318
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Feb 29, 2024
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content.
- Affected versions
-
max 4.4.3.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2025-11128
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Oct 23, 2025
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
- Affected versions
-
max 5.1.1.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2025-11467
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Dec 11, 2025
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
- Affected versions
-
max 5.1.2.
- Status
-
vulnerable
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator # CVE-2026-8976
- CVE, Research URL
- Home page URL
- Application
-
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
- Date
- Jun 06, 2026
- Research Description
- The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
- Affected versions
-
max 5.1.8.
- Status
-
vulnerable