cleantalk
Vulnerabilities and Security Researches

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator, CVE-2026-8976

CVE, Research URL

CVE-2026-8976

Home page URL

Security reports for RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Application

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Published on
Jun 06, 2026
Research Description
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
Affected versions
max 5.1.8.
Status
vulnerable
Previous vulnerability researches
Stripe Express (4b8502a4cf5209c95f7abee1405df2d2eac8a87d) , Jun 07, 2024
Stripe Express (CVE-2026-8893) , Jun 07, 2026
New vulnerability
ACF-VC Integrator (CVE-2023-33999) , Jun 13, 2026
WooCommerce Country Catalogs – Product Country Restrictions (CVE-2023-33999) , Jun 13, 2026
Multipurpose Gutenberg Block (CVE-2023-33999) , Jun 13, 2026
Embed Docs – Elementor Files Addon,Elementor Docs Addon,Embed PDF, Word, PowerPoint and Excel Files in Gutenberg & El (CVE-2023-33999) , Jun 13, 2026
Reader Mode – Distraction-Free Content Reader (CVE-2023-33999) , Jun 13, 2026