CVE-2026-8976
Description
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
Affected products
2- Range: <=5.1.7
- Range: <=5.1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly verify user authorization for critical actions."
Attack vector
Authenticated attackers with contributor-level access can exploit this vulnerability. The plugin leaks a nonce, required for certain administrative actions, to users with the `edit_posts` capability via localized JavaScript. This allows attackers to bypass authorization checks and perform actions such as creating and executing RSS import jobs, purging posts, clearing error logs, and enumerating taxonomy terms and post meta keys without needing privileged nonce theft or a separate exploit step [ref_id=1].
Affected code
The vulnerability lies within the plugin's handling of RSS import jobs and related administrative actions. Specifically, the localized script `feedzyjs` injects a nonce into the block editor, which is accessible to users with the `edit_posts` capability [ref_id=1]. This bypasses the intended authorization mechanisms for functions related to import job management and data manipulation.
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is due to the plugin not properly verifying user authorization for certain actions. Remediation guidance would typically involve implementing stricter authorization checks before allowing users to perform sensitive operations like creating imports, purging data, or accessing logs.
Preconditions
- authThe attacker must be authenticated with at least contributor-level access.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/feedzy-rss-feeds.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/feedzy-rss-feeds.phpnvd
- plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e495c215-2e01-4a37-aca3-99a067c46791nvd
News mentions
0No linked articles in our index yet.