Description
The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that enables unauthenticated attackers to trigger content synchronization and potentially create posts
Action: Assess Impact
AI Analysis

Impact

The Sync Feedly plugin for WordPress includes a missing or incorrect nonce validation in the crsf_cron_job_func function. This flaw allows an attacker to forge a request that triggers a content synchronization operation. If an administrator falls for a crafted link, the plugin may create multiple posts automatically, leading to spam or unwanted content on the site. The vulnerability does not grant arbitrary code execution, but it does permit unauthenticated creation of content through an administrator’s session.

Affected Systems

WordPress sites running the Sync Feedly plugin from cristianr909090, versions up to and including 1.0.1, are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. The EPSS score of <1% suggests low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a cross‑site request where an administrator is authenticated, and an attacker lures the admin to click a malicious link. The attack vector is user interaction, making it less likely to be automated but still feasible if phishing or social engineering succeeds.

Generated by OpenCVE AI on April 21, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sync Feedly plugin to a version newer than 1.0.1 where the CSRF validation is fixed.
  • Configure a security plugin or custom code to enforce nonce verification on all admin actions or block cross‑site requests to the sync trigger endpoint.
  • Instruct site administrators to exercise caution with unfamiliar links and avoid clicking suspicious URLs that could trigger unintended content synchronization.

Generated by OpenCVE AI on April 21, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31414 The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 29 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 27 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:31.500Z

Reserved: 2025-09-02T23:10:18.408Z

Link: CVE-2025-9894

cve-icon Vulnrichment

Updated: 2025-09-29T19:06:24.567Z

cve-icon NVD

Status : Deferred

Published: 2025-09-27T07:15:34.457

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses