Description
Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2.
Published: 2026-01-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Apply Patch
AI Analysis

Impact

The RSS Feed Widget plugin for WordPress contains a missing authorization flaw that results in broken access control for versions up to and including 3.0.2. This issue originates from incorrectly configured access control security levels, identified as CWE‑862. The plugin’s functionality can be accessed without proper authentication, potentially exposing the plugin’s endpoints and content to unauthenticated users. The description does not specify whether read, modify, or delete operations are possible, but the missing authorization indicates that some level of unauthorized interaction can occur.

Affected Systems

The affected product is the WordPress RSS Feed Widget plugin developed by Fahad Mahmood. Versions from the initial release to 3.0.2 are vulnerable; no fixed version is mentioned in the provided data.

Risk and Exploitability

The calculated CVSS score of 5.4 reflects a moderate severity for this missing authorization flaw. The EPSS score of less than 1% indicates a very low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the website’s web interface, where an unauthenticated user could target the plugin’s endpoints to access data protected by the broken access control.

Generated by OpenCVE AI on April 28, 2026 at 10:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RSS Feed Widget plugin to the latest release available, ideally a version that addresses the missing authorization flaw.
  • Configure the plugin’s access controls so that only authenticated administrators can invoke its features, ensuring proper permission checks are enforced.
  • If a patch is not yet released, disable or uninstall the plugin, or use network‑level restrictions to block non‑admin traffic from reaching the plugin’s endpoints.

Generated by OpenCVE AI on April 28, 2026 at 10:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fahadmahmood
Fahadmahmood rss Feed Widget
Wordpress
Wordpress wordpress
Vendors & Products Fahadmahmood
Fahadmahmood rss Feed Widget
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2.
Title WordPress RSS Feed Widget plugin <= 3.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Fahadmahmood Rss Feed Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:38.412Z

Reserved: 2025-12-31T20:12:28.143Z

Link: CVE-2025-69349

cve-icon Vulnrichment

Updated: 2026-01-06T19:51:17.932Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:47.350

Modified: 2026-04-27T21:16:25.053

Link: CVE-2025-69349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses