Feedzy RSS Aggregator WordPress Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Feedzy RSS Aggregator WordPress plugin, specifically in versions through 5.1.0. The vulnerability arises in the Gutenberg block version of the plugin, where the 'feedzy_sanitize_feeds' function does not properly validate feed URLs. This flaw allows authenticated attackers with Subscriber-level access or higher to send requests to arbitrary locations, potentially accessing internal services or resources.

Impact

Exploitation of this vulnerability could lead to unauthorized web requests being made from the WordPress application to external or internal services, depending on the attacker's intentions. This could be used to gather information from internal services that are not exposed to the public internet.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the Gutenberg block editor to add a Feedzy RSS Feeds block. Once the block is added, the user can input a feed URL into the 'feedzy-source' input field. The 'feedzy_sanitize_feeds' function will process the input URL. However, due to insufficient validation, the function allows the inclusion of malicious URLs that can be used to perform SSRF attacks. After the feed URL is validated and accepted, the block can be published or updated, triggering the vulnerability.

Remediation

Users are advised to update the Feedzy RSS Aggregator plugin to version 5.1.1 or later, where this vulnerability has been patched.