CVE-2026-8976
Deferred Deferred - Pending Action
Authorization Bypass in Feedzy WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-8976
EUVD
EUVD-2026-34932
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feedzy feed_to_post to 5.1.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The RSS Aggregator by Feedzy plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 5.1.7. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.

As a result, authenticated users with contributor-level access or higher can create and execute RSS import jobs, delete all posts related to any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names.

The vulnerability is worsened by the fact that the nonce (a security token) required to access these functions is leaked to any user with the edit_posts capability through a localized script injected into the block editor. This means contributors do not need to steal a privileged nonce or perform additional exploit steps.

Impact Analysis

This vulnerability allows users with contributor-level access or higher to perform unauthorized actions such as creating and running RSS import jobs, force-deleting posts associated with any import job, clearing import error logs, and accessing sensitive information like taxonomy terms and post meta_key names.

These actions could lead to data loss, manipulation of content, and exposure of internal site data, potentially disrupting website operations and content integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart