The RSS Aggregator by Feedzy plugin for WordPress is affected by a flaw that allows any authenticated user with contributor-level access to bypass authorization checks. Because the plugin does not verify that a user is authorized to perform an action, a contributor can create and execute RSS import jobs, delete all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. These capabilities give the attacker the ability to manipulate site content and gain insight into site structure, which is a violation of confidentiality, integrity and availability. The weakness is a classic example of broken access control, as identified by CWE‑862.

All installations of the Themeisle RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator WordPress plugin version 5.1.7 and earlier are impacted. Sites running these versions, regardless of the number of contributors, are vulnerable if a user can log in with contributor or higher privileges.

The CVSS score of 4.3 places this vulnerability in a moderate severity range. Because the exploit requires an authenticated contributor or higher user and leaks a nonce to any user with the edit_posts capability, it is not remotely exploitable from outside the site. EPSS data is not available, and the vulnerability has not been listed in the CISA KEV catalog. An attacker who has control of a contributor account can use the vulnerable AJAX endpoints to modify imports, purge content, clear logs or harvest taxonomy and meta information, potentially leading to loss of content or privacy leakage. The attack vector is therefore an authenticated, non-privileged user with edit_posts capability within a compromised or compromised-site environment.