Themeisle RSS Aggregator by Feedzy
Moderate fix1 remedy
cpe:2.3:a:themeisle:rss_aggregator_by_feedzy:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.1.1
Feedzy RSS Aggregator WordPress Plugin Blind Server-Side Request Forgery Vulnerability
Vulnerability
Patched
A Blind Server-Side Request Forgery (SSRF) vulnerability has been identified in the RSS Aggregator by Feedzy WordPress plugin, specifically in versions through 5.1.1. The vulnerability resides in the 'feedzy_lazy_load' function, allowing unauthenticated attackers to make web requests to arbitrary locations from the web application. This could be exploited to query and modify information from internal services.
Impact
Exploitation of this vulnerability could lead to unauthorized web requests being made from the server, potentially allowing attackers to access or manipulate data from internal services.
Reproduction
The vulnerability can be reproduced by sending a POST request to the WordPress REST API endpoint 'feedzy/v/{version}/lazy/' with a valid nonce. The request can include arbitrary URLs, which the server will fetch, demonstrating the server-side request forgery aspect of the vulnerability.
Remediation
Users are advised to update the Feedzy RSS Aggregator plugin to version 5.1.2 or later.
Added: Dec 11, 2025, 3:20 AM
Updated: Dec 11, 2025, 3:20 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
9.3remediation
7.7relevance
1.4threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.