CVE-2026-8976
Authorization Bypass in Feedzy WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feedzy | feed_to_post | to 5.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The RSS Aggregator by Feedzy plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 5.1.7. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.
As a result, authenticated users with contributor-level access or higher can create and execute RSS import jobs, delete all posts related to any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names.
The vulnerability is worsened by the fact that the nonce (a security token) required to access these functions is leaked to any user with the edit_posts capability through a localized script injected into the block editor. This means contributors do not need to steal a privileged nonce or perform additional exploit steps.
How can this vulnerability impact me? :
This vulnerability allows users with contributor-level access or higher to perform unauthorized actions such as creating and running RSS import jobs, force-deleting posts associated with any import job, clearing import error logs, and accessing sensitive information like taxonomy terms and post meta_key names.
These actions could lead to data loss, manipulation of content, and exposure of internal site data, potentially disrupting website operations and content integrity.