CVE-2024-1318 in RSS Aggregator Plugininfo

Summary

by MITRE • 02/29/2024

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1318 affects the RSS Aggregator by Feedzy plugin for WordPress, specifically targeting versions through 4.4.2. This represents a critical authorization bypass flaw that undermines the security model of WordPress installations. The vulnerability stems from insufficient capability checks within two core functions: 'feedzy_wizard_step_process' and 'import_status'. These functions are designed to handle administrative operations related to RSS feed processing and import status management, yet they fail to properly verify user permissions before executing sensitive operations. The flaw allows authenticated users with Contributor-level access or higher to exploit this weakness, despite their normal restrictions on creating pages and modifying certain content types.

The technical nature of this vulnerability aligns with CWE-284, which describes improper access control mechanisms in software systems. Attackers leveraging this vulnerability can manipulate the plugin's functionality to draft and publish posts containing arbitrary content, effectively bypassing the standard WordPress permission model. This capability represents a significant escalation from the typical Contributor role, which should normally restrict users to post creation only without the ability to publish content or modify other user's posts. The vulnerability specifically targets the plugin's wizard processing functionality and import status management, both of which are critical components for automated content generation and feed processing.

From an operational impact perspective, this vulnerability enables authenticated attackers to inject malicious content into WordPress sites, potentially leading to various security consequences including defacement, phishing attacks, or the distribution of malware through compromised feeds. The ability to publish posts with arbitrary content means that attackers can manipulate the site's content in ways that may not be immediately obvious to administrators, as the posts appear to be legitimate content generated through the normal feed aggregation process. This makes detection more challenging and could allow attackers to maintain persistence or establish backdoors through carefully crafted content.

The exploitation of this vulnerability follows ATT&CK technique T1078.004, which involves legitimate credentials gained through compromise, and T1496, which focuses on resource hijacking through the use of compromised credentials. Organizations should immediately implement mitigations including updating to the patched version of the plugin, reviewing user permissions, and monitoring for unauthorized content creation or modification. Additionally, implementing network monitoring to detect unusual feed processing activities and conducting regular security audits of installed plugins can help identify similar vulnerabilities. The vulnerability demonstrates the critical importance of proper capability checks in plugin development and highlights the risks associated with insufficient input validation and access control mechanisms in WordPress ecosystem components.

Responsible

Wordfence

Reservation

02/07/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00518

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!