The Silencesoft RSS Reader WordPress plugin contains a Server Side Request Forgery vulnerability that permits the plugin to fetch arbitrary external URLs. According to the description, the plugin will retrieve resources specified by a user‑supplied RSS feed URL or configuration setting without validating the target domain. This type of flaw falls under CWE‑918 and could expose the host to unintended network traffic. The vulnerability does not explicitly state that the fetched content is processed in a way that would lead to code execution or privilege escalation, but an attacker could gain a foothold by probing internal services or exfiltrating information.

All installations of the Silencesoft RSS Reader plugin whose version is 0.6 or earlier are affected. No other vendors or products are listed as impacted.

The CVSS score of 5.4 reflects a moderate severity level. The EPSS score of less than 1% indicates that, at present, the likelihood of exploitation in the wild is very low. The vulnerability is not included in the CISA KEV catalog, further suggesting limited public exploitation. The likely attack vector involves an attacker supplying a malicious or maliciously crafted RSS feed URL or configuration entry to the plugin, causing it to initiate outbound HTTP requests to arbitrary destinations. Because the description does not detail additional prerequisites, it is inferred that no privileged access is required to trigger the vulnerability.