CVE-2026-8976: RSS Aggregator by Feedzy Authorization Bypass – WordPress Plugin Vulnerability
The RSS Aggregator by Feedzy plugin for WordPress fails to properly verify user permissions, allowing contributors and higher-level users to perform administrative actions they shouldn't be able to access. An authenticated attacker with basic contributor rights can create RSS import jobs, delete all posts from any import, clear error logs, and view sensitive taxonomy and post metadata information. The vulnerability is particularly dangerous because the security token needed to perform these actions is automatically exposed to anyone who can edit posts through the block editor interface—no additional hacking or theft is required.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
22 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8976 is an authorization bypass vulnerability (CWE-862) in RSS Aggregator by Feedzy versions up to 5.1.7. The plugin fails to enforce proper capability checks on multiple sub-handlers that manage RSS import operations. The nonce required to access these handlers is leaked via the feedzyjs localized script injected into the WordPress block editor, meaning any authenticated user with the edit_posts capability automatically receives the security token. This eliminates the need for nonce theft or separate exploit steps. Affected actions include RSS import job creation and execution, post purging via import job IDs, error log clearing, and enumeration of taxonomy terms and post meta keys.
Business impact
This vulnerability could allow disruptive content manipulation within affected WordPress sites. Contributors—often external writers, guest authors, or less-privileged team members—can unilaterally delete large volumes of posts associated with RSS imports without editorial oversight. Error logs can be cleared to hide tracks of malicious activity. Taxonomy and meta enumeration could facilitate further reconnaissance of site structure. Organizations using Feedzy to automate content aggregation or autoblogging face potential data loss, operational disruption, and audit trail destruction. The risk is heightened in multi-author or agency environments where contributor accounts are routinely provisioned.
Affected systems
WordPress installations running the RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin in any version up to and including 5.1.7 are vulnerable. The vulnerability requires authenticated access, so it only affects sites that have created contributor-level or higher user accounts. Sites with strict user role policies or those running only with administrator accounts have lower immediate risk, though the vulnerability remains present and should be patched.
Exploitability
Exploitability is straightforward for anyone with valid WordPress contributor credentials or above. No additional vulnerability chaining, privilege escalation technique, or social engineering is required. An attacker simply logs in with a compromised or legitimate contributor account, accesses the block editor where the nonce is automatically leaked, and can immediately invoke the vulnerable handlers to modify or delete content. The barrier to exploitation is authentication only, making this a realistic risk in any environment where contributor accounts exist or where account credentials have been compromised.
Remediation
Update the RSS Aggregator by Feedzy plugin to a version newer than 5.1.7 that implements proper capability verification on all sub-handlers. Verify against the vendor's advisory to confirm the exact patched version. Additionally, conduct a capability audit of your WordPress user base—remove unnecessary contributor accounts, audit recent import job activity and post deletions, and restore any unexpectedly purged content from backups if available. Review access logs during the vulnerability window for any suspicious import operations.
Patch guidance
Monitor the RSS Aggregator by Feedzy plugin repository and vendor advisories for a patched release. When available, update the plugin to the first version released after 5.1.7 that addresses this authorization bypass. Test the update in a staging environment first to ensure compatibility with your active RSS import configurations. After patching, verify that import jobs execute normally and that the authorization checks are in place by attempting to execute restricted actions with a test contributor account. Keep the plugin enabled during the update window to avoid accidental downtime, but prioritize the update given the low CVSS score does not reflect the actual operational risk in multi-author environments.
Detection guidance
Review WordPress administrator and audit logs for import job creation, post deletion, and error log access from contributor-level or lower-privileged accounts. Check the WordPress posts table for unexpected bulk deletions correlated with RSS Feedzy import job IDs. Examine plugin activity logs or database tables specific to Feedzy for import jobs created by non-administrative users. Network-based detection is unlikely to be fruitful since the vulnerability is exploited via authenticated WordPress API calls; focus instead on application-level logging within WordPress and the plugin itself.
Why prioritize this
Although the CVSS 3.1 score is 4.3 (MEDIUM), this vulnerability warrants earlier-than-typical patching in multi-author environments. The low barrier to exploitation (authentication only, no nonce theft required), the high operational impact of bulk post deletion, and the audit trail destruction capability collectively elevate practical risk. Single-author blogs or admin-only sites face lower urgency. Organizations with multiple contributors, guest authors, or managed WordPress hosting should prioritize this patch within 1–2 weeks to prevent accidental or malicious content loss.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-accessible, authenticated, low-complexity vulnerability with limited scope (CWE-862 authorization bypass). Integrity is impacted (post deletion, log clearing) but not confidentiality or availability in the traditional sense. The score does not account for the operational severity in multi-author publishing workflows or the ease of exploitation due to nonce leakage. Security teams should apply organizational context: in publishing or agency environments, the practical risk is significantly higher than the base CVSS suggests.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid WordPress authentication with at least contributor-level privileges. An attacker must have or obtain legitimate credentials to log in to the WordPress backend.
Does the nonce leak mean we need a separate exploit step?
No. The security token (nonce) is automatically leaked via the feedzyjs script in the block editor, so any contributor who logs in can immediately use it. There is no need for additional nonce theft or exploitation techniques.
If we disable the Feedzy plugin, are we protected?
Disabling the plugin stops the vulnerability from being exploitable, but it also stops RSS import functionality. The recommended approach is to update to a patched version rather than disable the plugin permanently, unless you have decided to sunset RSS aggregation.
Can we mitigate this by removing contributor accounts?
Removing contributor accounts eliminates the attack surface, but most publishing workflows require contributors. A better approach is strict access reviews (remove unused accounts) combined with urgent patching. Monitor for suspicious import activity in the interim.
This analysis is based on publicly disclosed vulnerability information as of the date of publication. CVSS scores are provided by the vulnerability maintainer and reflect base metrics only; organizational risk may differ significantly based on deployment context and user management practices. No exploit code or weaponized proof-of-concept is provided. Organizations should verify patch availability with the vendor before implementing mitigations. This information is intended for security professionals and system administrators responsible for WordPress environments and is not legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis