The WP eBay Product Feeds plugin for WordPress contains a Server‑Side Request Forgery flaw that allows an external party to trick the WordPress webserver into retrieving content from arbitrary external or internal addresses. While the description does not explicitly state authentication requirements, it is inferred that the vulnerability can be triggered without user credentials, as the plugin’s feed generation can be invoked through public or administrative interfaces. A successful exploit could expose confidential data, internal services, or serve as a foothold for further attacks if the target host is vulnerable.

Any WordPress installation that has Rhys Wynne’s WP eBay Product Feeds plugin version 3.4.8 or earlier installed and enabled is affected. The vulnerability is reported to affect all releases from unspecified lower bound up through 3.4.8, with no known impact on newer versions.

The CVSS score of 4.9 places this issue in the medium severity range. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation at present. Nonetheless, because the flaw can be leveraged remotely without special privileges—an attacker can simply submit a crafted request through the plugin’s interface—the risk remains real for exposed WordPress sites.