The vulnerability resides in the "feedzy_sanitize_feeds" function of the Feedzy RSS Feeds Lite plugin, allowing an authenticated user with the Subscriber role or higher to supply arbitrary URLs that the WordPress instance will request. This Server‑Side Request Forgery (SSRF) can be used to contact internal network services or otherwise extract sensitive data that is otherwise not exposed through the public web interface. The weakness is identified as CWE‑918, describing the use of untrusted input as a provisional URL for a network request.

WordPress installations running the RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin, versions up to and including 5.1.0, are affected. Only sites that have ever installed this version of the plugin and still run it expose the risk.

The CVSS score of 5 indicates a moderate severity, but the EPSS score of less than 1 percent shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers require only Subscriber-level authentication, which on many sites is broadly granted, so the threat surface is larger. Unless privileged accounts are hardened or the plugin updated, the risk remains moderate, primarily for sites that expose internal resources through the SSRF path.