CVE-2025-11467
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2025-12-11

Assigner: Wordfence

Description
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11467
EUVD
EUVD-2025-202643
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feedzy feed_to_post 5.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Blind Server-Side Request Forgery (SSRF) in the RSS Aggregator by Feedzy plugin for WordPress, affecting all versions up to 5.1.1. It occurs via the feedzy_lazy_load function, allowing unauthenticated attackers to make web requests from the web application to arbitrary locations, potentially querying and modifying information from internal services.

Impact Analysis

The vulnerability allows unauthenticated attackers to send requests from the vulnerable web application to arbitrary locations, which can lead to unauthorized querying and modification of information from internal services. This can result in data exposure or manipulation within the internal network.

Detection Guidance

Detection of this Blind Server-Side Request Forgery (SSRF) vulnerability in the Feedzy plugin involves monitoring for unusual outbound web requests originating from the WordPress application, especially those triggered by the feedzy_lazy_load function. Since the vulnerability allows unauthenticated attackers to make arbitrary web requests, network monitoring tools can be used to detect unexpected internal or external HTTP requests from the web server. Additionally, reviewing WordPress logs for unusual access patterns to the feedzy plugin endpoints or shortcode usage may help. Specific commands depend on your environment, but examples include using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests, e.g., `tcpdump -i eth0 -A port 80 or port 443` to inspect HTTP/S traffic from the server. Also, checking web server access logs for suspicious requests to feedzy-related URLs or parameters can help. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Feedzy plugin to a version later than 5.1.1 where the vulnerability is fixed. If an update is not immediately possible, disabling or removing the Feedzy plugin can prevent exploitation. Additionally, restricting outbound HTTP requests from the web server to only trusted destinations via firewall rules can reduce risk. Monitoring and blocking suspicious requests targeting the feedzy_lazy_load function or related endpoints is also advisable. Since the vulnerability allows unauthenticated attackers to make arbitrary web requests, limiting plugin usage and access until patched is critical. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart