The RSS Aggregator by Feedzy plugin contains an unauthenticated blind server‑side request forgery (SSRF) vulnerability in the feedzy_lazy_load function. Attackers can cause the WordPress site to issue HTTP requests to arbitrary internal or external hosts, enabling the retrieval or modification of sensitive data from services that are normally inaccessible from the public internet. This flaw can expose internal network structure, exfiltrate confidential information, or allow malicious modification of internal resources.

This issue affects the Themeisle WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator for all releases up to and including version 5.1.1. No other plugin versions are known to be vulnerable, but any installation of the affected versions that is still in use remains at risk.

With a CVSS score of 5.8 the vulnerability is considered moderate. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw allows unauthenticated actors to issue arbitrary requests from the host, it can be leveraged to probe internal services, exfiltrate information, or manipulate application data. The likely attack vector is an unauthenticated user sending a crafted request that triggers feedzy_lazy_load, which then forwards the request to a target host chosen by the attacker.