CVE-2025-30556 - Vulnerability Details

- WordPress Fix Rss Feeds plugin <= 3.1 - Cross Site Request Forgery (CSRF) vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds fix-rss-feed allows Cross Site Request Forgery.This issue affects Fix Rss Feeds: from n/a through <= 3.1.

Published: 2025-03-24

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cross‑Site Request Forgery (CSRF) is present in the Fix Rss Feeds plugin for all releases up to and including version 3.1. The flaw allows an attacker to cause a logged‑in user to execute unintended actions, such as altering plugin settings or otherwise manipulating data. The CVE description does not specify whether a request token is missing or how the CSRF protection was bypassed, so the precise root cause cannot be confirmed, but CSRF typically arises from a lack of request validation.

Affected Systems

The vulnerability affects the WordPress plugin "Fix Rss Feeds" by the vendor flyaga. All plugin releases from the earliest available version through version 3.1 are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of <1% suggests that exploitation is currently unlikely. The issue is not listed in the CISA KEV catalog. Exploitation would require an attacker to lure an authenticated user to submit a crafted request—such as via a phishing link or an embedded form—triggering the unintended action. This attack vector is inferred based on common CSRF exploitation methods, as the description does not detail the exact mechanism.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

flyaga

Fix Rss Feeds

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fix Rss Feeds plugin to a version newer than 3.1 to address the CSRF issue.
If an upgrade is temporarily infeasible, consider uninstalling or disabling the plugin to eliminate the attack surface.
Restrict plugin configuration changes to administrators only, ensuring that only privileged users can trigger the affected functionality.

Generated by OpenCVE AI on May 2, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7975	Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds allows Cross Site Request Forgery. This issue affects Fix Rss Feeds: from n/a through 3.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00094.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/fix-rss-feed/vulnerability/wordpress-fix-rss-feeds-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds allows Cross Site Request Forgery. This issue affects Fix Rss Feeds: from n/a through 3.1.	Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds fix-rss-feed allows Cross Site Request Forgery.This issue affects Fix Rss Feeds: from n/a through <= 3.1.
References	https://patchstack.com/database/wordpress/plugin/fix-rss-feed/vulnerability/wordpress-fix-rss-feeds-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/fix-rss-feed/vulnerability/wordpress-fix-rss-feeds-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Mon, 24 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds allows Cross Site Request Forgery. This issue affects Fix Rss Feeds: from n/a through 3.1.
Title		WordPress Fix Rss Feeds plugin <= 3.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/fix-rss-feed/vulnerability/wordpress-fix-rss-feeds-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-03-24T13:46:58.169Z

Updated: 2026-04-28T16:11:54.012Z

Reserved: 2025-03-24T12:59:58.192Z

Link: CVE-2025-30556

Vulnrichment

Updated: 2025-03-24T14:49:59.823Z

NVD

Status : Deferred

Published: 2025-03-24T14:15:24.837

Modified: 2026-04-23T15:26:51.653

Link: CVE-2025-30556

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object