{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11128", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-27T21:52:08.932Z", "datePublished": "2025-10-23T12:32:32.611Z", "dateUpdated": "2026-04-08T17:20:21.392Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:21.392Z"}, "affected": [{"vendor": "themeisle", "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services."}], "title": "Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c33ec58f-3e83-425a-9f0f-5e529be15e05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L280"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L399"}, {"url": "https://plugins.trac.wordpress.org/changeset/3378828/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-09-27T22:08:01.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-23T13:38:55.005647Z", "id": "CVE-2025-11128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-23T13:39:12.823Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-23T13:38:55.005647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-23T13:39:05.333Z"}}], "cna": {"title": "Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}}], "affected": [{"vendor": "themeisle", "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-27T22:08:01.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c33ec58f-3e83-425a-9f0f-5e529be15e05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L280"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L399"}, {"url": "https://plugins.trac.wordpress.org/changeset/3378828/"}], "descriptions": [{"lang": "en", "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-23T12:32:32.611Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11128", "state": "PUBLISHED", "dateUpdated": "2025-10-23T13:39:12.823Z", "dateReserved": "2025-09-27T21:52:08.932Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-23T12:32:32.611Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services."}], "id": "CVE-2025-11128", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-23T13:15:44.717", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L280"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L309"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L336"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L399"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3378828/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c33ec58f-3e83-425a-9f0f-5e529be15e05?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:07:40.835999+00:00", "value": {"mitigation_remediation": ["Update the plugin to version 5.1.1 or newer, which removes the SSRF flaw.", "If an update is not feasible, disable the plugin\u2019s ability to accept external URLs or remove Subscriber users from the role that can trigger the vulnerable function.", "Monitor outbound traffic and request logs for unexpected internal or external requests to detect potential misuse."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress installations running the RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin, versions up to and including 5.1.0, are affected. Only sites that have ever installed this version of the plugin and still run it expose the risk.", "description_and_impact": "The vulnerability resides in the \"feedzy_sanitize_feeds\" function of the Feedzy RSS Feeds Lite plugin, allowing an authenticated user with the Subscriber role or higher to supply arbitrary URLs that the WordPress instance will request. This Server\u2011Side Request Forgery (SSRF) can be used to contact internal network services or otherwise extract sensitive data that is otherwise not exposed through the public web interface. The weakness is identified as CWE\u2011918, describing the use of untrusted input as a provisional URL for a network request.", "risk_and_exploitability": "The CVSS score of 5 indicates a moderate severity, but the EPSS score of less than 1 percent shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers require only Subscriber-level authentication, which on many sites is broadly granted, so the threat surface is larger. Unless privileged accounts are hardened or the plugin updated, the risk remains moderate, primarily for sites that expose internal resources through the SSRF path."}}}}, "created": "2025-10-24T10:17:06.739850+00:00", "updated": "2026-04-21T02:15:06.524810+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$rss_aggregator_by_feedzy", "wordpress", "wordpress$PRODUCT$wordpress"]}