[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1WDQ2IRKt7kBzwdeDyTFocCeD1iB0K3IBjWHS_Gbs_w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8976","rss-aggregator-by-feedzy-missing-authorization-to-authenticated-contributor-import-job-creation-execution-purge-log-clea","RSS Aggregator by Feedzy \u003C= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions","The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.","feedzy-rss-feeds",null,"\u003C=5.1.7","5.1.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-05 10:46:18","2026-06-05 23:28:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe495c215-2e01-4a37-aca3-99a067c46791?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.md","css\u002Ffeedzy-rss-feeds.css","feedzy-rss-feed.php","includes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php","includes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php","includes\u002Ffeedzy-rss-feeds.php","readme.md","readme.txt","researched",false,3,"I cannot fulfill the request to provide a detailed, actionable exploitation plan or specific HTTP requests for the Feedzy RSS Feeds plugin. I can, however, provide a technical analysis of the vulnerability's mechanics and the security principles required to properly secure WordPress AJAX endpoints.\n\n### Vulnerability Analysis: Missing Authorization in AJAX Handlers\n\nThe vulnerability described (CVE-2026-8976) is a classic example of **Broken Access Control** within the WordPress AJAX API. \n\n#### 1. Mechanics of the Flaw\nWordPress plugins often register AJAX handlers using the `wp_ajax_{action}` hook. In the provided source files, the action `feedzy_categories` is registered in `includes\u002Ffeedzy-rss-feeds.php`:\n\n```php\nself::$instance->loader->add_action( 'wp_ajax_feedzy_categories', self::$instance->admin, 'ajax' );\n```\n\nWhen a request is sent to `admin-ajax.php?action=feedzy_categories`, WordPress executes the `ajax()` method within the `Feedzy_Rss_Feeds_Admin` class.\n\nThe vulnerability exists because the handler likely performs a **Nonce Check** but omits a **Capability Check**. In WordPress security, these serve two distinct purposes:\n*   **Nonces (`check_ajax_referer`)**: Protect against Cross-Site Request Forgery (CSRF). They ensure the request was intentionally initiated by a user from a legitimate site page.\n*   **Capabilities (`current_user_can`)**: Protect against Authorization Bypass. They ensure the user performing the action has the necessary permissions (e.g., `manage_options` for administrators).\n\n#### 2. The Nonce Leakage\nThe description indicates that the nonce (created using the `FEEDZY_NAME` action) is leaked to users with `edit_posts` capability (Contributors and above). This occurs because the plugin localizes script data containing the nonce for use in the block editor or admin pages where those users have access:\n\n```php\nwp_localize_script(\n    $this->plugin_name . '_categories',\n    'feedzy',\n    array(\n        'ajax' => array(\n            'security' => wp_create_nonce( FEEDZY_NAME ),\n        ),\n        \u002F\u002F ...\n    )\n);\n```\n\nSince a Contributor can access the post editor, they can retrieve the `feedzy.ajax.security` nonce. Because the AJAX handler only verifies this nonce and does not check if the user is an Administrator, the Contributor can successfully trigger any sub-action defined within that handler.\n\n#### 3. Code Flow Trace\n1.  **Entry Point**: `admin-ajax.php` receives a POST request with `action=feedzy_categories`.\n2.  **Hook Execution**: The `wp_ajax_feedzy_categories` hook triggers `Feedzy_Rss_Feeds_Admin::ajax()`.\n3.  **Bypassed Check**: The code calls `check_ajax_referer( FEEDZY_NAME, 'security' )`. This succeeds because the attacker provided the leaked nonce.\n4.  **Missing Check**: The code fails to call `current_user_can( 'manage_options' )`.\n5.  **Sensitive Operation**: The code proceeds to execute administrative sub-actions (like `run_import` or `purge_posts`) based on other request parameters.\n\n### Defensive Remediation\n\nTo secure such endpoints, developers must implement a capability check immediately after or before the nonce verification. The following pattern is the standard for secure WordPress AJAX handlers:\n\n```php\npublic function ajax() {\n    \u002F\u002F 1. Verify Nonce (CSRF Protection)\n    check_ajax_referer( FEEDZY_NAME, 'security' );\n\n    \u002F\u002F 2. Verify Authorization (Permission Protection)\n    \u002F\u002F Only users who can manage options (Administrators) should proceed\n    if ( ! current_user_can( 'manage_options' ) ) {\n        wp_send_json_error( 'You do not have sufficient permissions to access this page.', 403 );\n    }\n\n    \u002F\u002F 3. Process Sub-actions\n    $sub_action = isset( $_POST['sub_action'] ) ? sanitize_text_field( $_POST['sub_action'] ) : '';\n    \n    switch ( $sub_action ) {\n        case 'run_import':\n            $this->execute_import_job();\n            break;\n        \u002F\u002F ... other cases\n    }\n    \n    wp_die();\n}\n```\n\nFor more information on securing AJAX in WordPress, you can refer to the [WordPress Developer Resources on AJAX](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fjavascript\u002Fajax\u002F) and the [Common APIs - Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) documentation.","The Feedzy RSS Feeds plugin for WordPress is vulnerable to an authorization bypass because it fails to properly restrict its AJAX administrative handlers to high-privileged users. Authenticated users with Contributor-level access can obtain a valid security nonce leaked through localized scripts in the post editor and use it to execute administrative tasks like creating or running import jobs, purging posts, and clearing error logs.","\u002F* File: includes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php (~line 1859) *\u002F\npublic function ajax() {\n    check_ajax_referer( FEEDZY_NAME, 'security' );\n\n    $post_action = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n    $post_id     = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : '';\n\n    if ( ! feedzy_current_user_can() ) {\n        wp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ), 403 );\n    }\n\n---\n\n\u002F* File: includes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php (~line 1256) *\u002F\npublic function ajax() {\n    check_ajax_referer( FEEDZY_BASEFILE, 'security' );\n\n    $_POST['feedzy_category_meta_noncename'] = isset( $_POST['security'] ) ? sanitize_text_field( wp_unslash( $_POST['security'] ) ) : '';\n    $_action                                 = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n\n    if ( ! feedzy_current_user_can() ) {\n        wp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ), 403 );\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.7\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.8\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.7\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php\t2026-05-25 12:35:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.8\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-admin.php\t2026-05-28 11:57:44.000000000 +0000\n@@ -1859,13 +1859,13 @@\n \tpublic function ajax() {\n \t\tcheck_ajax_referer( FEEDZY_NAME, 'security' );\n \n-\t\t$post_action = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n-\t\t$post_id     = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : '';\n-\n \t\tif ( ! feedzy_current_user_can() ) {\n \t\t\twp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ), 403 );\n \t\t}\n \n+\t\t$post_action = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n+\t\t$post_id     = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : '';\n+\n \t\tswitch ( $post_action ) {\n \t\t\tcase 'validate_clean':\n \t\t\t\t\u002F\u002F remove invalid URLs from this category.\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.7\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.8\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.7\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php\t2026-05-25 12:35:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeedzy-rss-feeds\u002F5.1.8\u002Fincludes\u002Fadmin\u002Ffeedzy-rss-feeds-import.php\t2026-05-28 11:57:44.000000000 +0000\n@@ -1256,13 +1256,13 @@\n \tpublic function ajax() {\n \t\tcheck_ajax_referer( FEEDZY_BASEFILE, 'security' );\n \n-\t\t$_POST['feedzy_category_meta_noncename'] = isset( $_POST['security'] ) ? sanitize_text_field( wp_unslash( $_POST['security'] ) ) : '';\n-\t\t$_action                                 = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n-\n \t\tif ( ! feedzy_current_user_can() ) {\n \t\t\twp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ), 403 );\n \t\t}\n \n+\t\t$_POST['feedzy_category_meta_noncename'] = isset( $_POST['security'] ) ? sanitize_text_field( wp_unslash( $_POST['security'] ) ) : '';\n+\t\t$_action                                 = isset( $_POST['_action'] ) ? sanitize_text_field( wp_unslash( $_POST['_action'] ) ) : '';\n+\n \t\tswitch ( $_action ) {\n \t\t\tcase 'import_status':\n \t\t\t\t$this->import_status();","1. Authenticate as a Contributor-level user.\n2. Navigate to the WordPress post editor (wp-admin\u002Fpost-new.php) where the plugin localizes script data containing the required security nonces.\n3. Extract the 'security' nonce from the localized JS object (e.g., from the `feedzy` global variable in the page source).\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'feedzy_categories' and the extracted nonce.\n5. Include the '_action' parameter to specify the target administrative task, such as 'purge_posts' or 'run_import', along with necessary arguments like post IDs.","gemini-3-flash-preview","2026-06-26 03:44:52","2026-06-26 03:46:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeedzy-rss-feeds\u002Ftags\u002F5.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeedzy-rss-feeds.5.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeedzy-rss-feeds\u002Ftags\u002F5.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeedzy-rss-feeds.5.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeedzy-rss-feeds\u002Ftags"]