{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7828", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T19:12:48.298Z", "datePublished": "2025-08-23T04:25:48.156Z", "dateUpdated": "2026-04-08T17:15:58.421Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:58.421Z"}, "affected": [{"vendor": "evigeo", "product": "WP Filter & Combine RSS Feeds", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds."}], "title": "WP Filter & Combine RSS Feeds <= 0.4 - Missing Authorization to Authenticated (Contributor+) Feed Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b09f97df-ee69-43aa-97b5-efc8ba16ef87?source=cve"}, {"url": "https://wordpress.org/plugins/wp-filter-combine-rss-feeds/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-08-22T15:52:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T16:59:54.840960Z", "id": "CVE-2025-7828", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:01:36.224Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T16:59:54.840960Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:01:14.512Z"}}], "cna": {"title": "WP Filter & Combine RSS Feeds <= 0.4 - Missing Authorization to Authenticated (Contributor+) Feed Deletion", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "evigeo", "product": "WP Filter & Combine RSS Feeds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T15:52:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b09f97df-ee69-43aa-97b5-efc8ba16ef87?source=cve"}, {"url": "https://wordpress.org/plugins/wp-filter-combine-rss-feeds/"}], "descriptions": [{"lang": "en", "value": "The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:58.421Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7828", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:58.421Z", "dateReserved": "2025-07-18T19:12:48.298Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T04:25:48.156Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds."}, {"lang": "es", "value": "El complemento WP Filter &amp; Combine RSS Feeds para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n post_listing_page() en todas las versiones hasta la 0.4 incluida. Esto permite que atacantes autenticados, con acceso de Colaborador o superior, eliminen feeds."}], "id": "CVE-2025-7828", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T05:15:32.743", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-filter-combine-rss-feeds/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b09f97df-ee69-43aa-97b5-efc8ba16ef87?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:58:23.862856+00:00", "value": {"mitigation_remediation": ["Update the WP Filter & Combine RSS Feeds plugin to the latest version that includes the missing capability check.", "If no update is available, deactivate or uninstall the plugin to eliminate the vulnerability.", "Restrict Contributor role capabilities or re\u2011evaluate which users should hold Contributor or higher access to limit the potential for feed deletion."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Feed Deletion by authenticated Contributors"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the evigeo WP Filter & Combine RSS Feeds plugin version 0.4 or earlier are impacted; the issue is independent of the WordPress core version as long as the vulnerable plugin remains active.", "description_and_impact": "The WP Filter & Combine RSS Feeds plugin\u2019s internal post_listing_page function lacks a capability check, enabling any authenticated user with Contributor level access or higher to delete RSS feeds. This flaw does not allow code execution or privilege escalation, but it permits removal of user\u2011published feed content and disrupts content distribution, reducing site integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate severity, and an EPSS score below 1%, signifying a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalogue. Exploitation requires simple authentication and existing Contributor or higher permissions, which are commonly granted on many sites. While the impact is limited to feed deletion rather than broader system compromise, the loss of RSS syndication can affect user engagement and content reach."}}}}, "created": "2025-08-23T17:27:23.991867+00:00", "updated": "2026-04-20T22:00:11.228885+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}