{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69349", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:28.143Z", "datePublished": "2026-01-06T16:36:39.797Z", "dateUpdated": "2026-04-28T16:14:38.412Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rss-feed-widget", "product": "RSS Feed Widget", "vendor": "Fahad Mahmood", "versions": [{"changes": [{"at": "3.0.3", "status": "unaffected"}], "lessThanOrEqual": "3.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:13.946Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects RSS Feed Widget: from n/a through <= 3.0.2.</p>"}], "value": "Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.412Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress RSS Feed Widget plugin <= 3.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T19:50:57.867461Z", "id": "CVE-2025-69349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:52:32.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T19:50:57.867461Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:51:17.932Z"}}], "cna": {"title": "WordPress RSS Feed Widget plugin <= 3.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fahad Mahmood", "product": "RSS Feed Widget", "versions": [{"status": "affected", "changes": [{"at": "3.0.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.2"}], "packageName": "rss-feed-widget", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:13.946Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects RSS Feed Widget: from n/a through <= 3.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.135Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69349", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:52:32.198Z", "dateReserved": "2025-12-31T20:12:28.143Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:39.797Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2."}], "id": "CVE-2025-69349", "lastModified": "2026-04-27T21:16:25.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:47.350", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:04:37.035449+00:00", "value": {"mitigation_remediation": ["Update the RSS Feed Widget plugin to the latest release available, ideally a version that addresses the missing authorization flaw.", "Configure the plugin\u2019s access controls so that only authenticated administrators can invoke its features, ensuring proper permission checks are enforced.", "If a patch is not yet released, disable or uninstall the plugin, or use network\u2011level restrictions to block non\u2011admin traffic from reaching the plugin\u2019s endpoints."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress RSS Feed Widget plugin developed by Fahad Mahmood. Versions from the initial release to 3.0.2 are vulnerable; no fixed version is mentioned in the provided data.", "description_and_impact": "The RSS Feed Widget plugin for WordPress contains a missing authorization flaw that results in broken access control for versions up to and including 3.0.2. This issue originates from incorrectly configured access control security levels, identified as CWE\u2011862. The plugin\u2019s functionality can be accessed without proper authentication, potentially exposing the plugin\u2019s endpoints and content to unauthenticated users. The description does not specify whether read, modify, or delete operations are possible, but the missing authorization indicates that some level of unauthorized interaction can occur.", "risk_and_exploitability": "The calculated CVSS score of 5.4 reflects a moderate severity for this missing authorization flaw. The EPSS score of less than 1% indicates a very low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the website\u2019s web interface, where an unauthenticated user could target the plugin\u2019s endpoints to access data protected by the broken access control."}}}}, "created": "2026-01-07T10:08:41.294873+00:00", "updated": "2026-04-28T10:15:28.847744+00:00", "vendors": ["fahadmahmood", "fahadmahmood$PRODUCT$rss_feed_widget", "wordpress", "wordpress$PRODUCT$wordpress"]}