Description
The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-11-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF enabling internal data exfiltration or modification
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists in the wpematico_test_feed() function of the WPeMatico RSS Feed Fetcher plugin, allowing any authenticated user with Subscriber or higher privileges to direct the web server to send HTTP requests to arbitrary URLs. By crafting the target URL, an attacker can query or manipulate services that are normally accessible only within the internal network, thereby exposing sensitive data or altering system state.

Affected Systems

Any WordPress installation that has the WPeMatico RSS Feed Fetcher plugin version 2.8.11 or earlier is affected. The issue is limited to sites that have not applied the latest plugin update and require the presence of a Subscriber or higher role to trigger the vulnerable function.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate severity, and the EPSS score of less than 1% indicates a low probability of real‑world exploitation at this time. Because an attacker must first acquire authenticated access, the risk is contingent on the strength and scope of user roles on the site. The vulnerability is listed as not included in the CISA KEV catalog. The exploit path requires an attacker to send a crafted request to the wpematico_test_feed endpoint with a target URL parameter, causing the server to perform an outgoing request. Successful exploitation can result in disclosure of internal resources or modification of internal data. Given the typical internal network segmentation, the actual impact depends on what internal services are reachable from the web server. While the low EPSS score suggests a limited threat, the presence of authenticated access makes the vulnerability exploitable in environments where subscriber roles are widely granted.

Generated by OpenCVE AI on April 22, 2026 at 12:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPeMatico RSS Feed Fetcher plugin to the latest available version, which removes the vulnerable wpematico_test_feed() function.
  • If upgrading is not immediately feasible, block outgoing HTTP requests from the web server to internal IP ranges using firewall rules or proxy configuration, thereby preventing the malicious SSRF calls.
  • Disable or remove the wpematico_test_feed endpoint by editing the plugin’s code or WordPress hooks so that the endpoint is no longer callable.
  • Consider tightening user role capabilities so that only trusted administrators have access to the wpematico functions; remove Subscriber or higher privileges from users who do not require them.

Generated by OpenCVE AI on April 22, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Etruel
Etruel wpematico Rss Feed Fetcher
Wordpress
Wordpress wordpress
Vendors & Products Etruel
Etruel wpematico Rss Feed Fetcher
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 06:45:00 +0000

Type Values Removed Values Added
Description The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Etruel Wpematico Rss Feed Fetcher
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:58.084Z

Reserved: 2025-10-17T14:18:30.580Z

Link: CVE-2025-11917

cve-icon Vulnrichment

Updated: 2025-11-05T15:45:06.603Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T07:15:32.073

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses