A critical vulnerability has been identified in the RSS Aggregator by Feedzy plugin for WordPress, affecting versions up to 4.4.2. The plugin, which has over 50,000 active installations, is widely used for feed to post conversions, import capabilities, and RSS feed displays.
Vulnerability Details:
- CVE ID: CVE-2024-1317
- CVSS Score: 8.8 (High)
- Affected Versions: Up to and including 4.4.2
- Impact: SQL Injection, Data Exfiltration
Description:
The vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation in SQL queries. Specifically, the search_key parameter in the plugin’s fetch_custom_fields() function is vulnerable, allowing authenticated attackers with contributor-level permissions or higher to inject malicious SQL and extract sensitive data, including password hashes.
The flaw is attributed to the misuse of the wpdb->prepare() function and the direct appending of the $like value to the query, bypassing critical defense mechanisms against SQL injection.
Mitigation Strategies:
- Immediate Update: Upgrade to Feedzy version 4.4.3, which contains the patch for this vulnerability.
- Review User Permissions: Limit user permissions to the minimum necessary and regularly audit user roles.
- Monitor for Suspicious Activity: Keep an eye on database access logs and website activity for signs of exploitation.
Recommendations:
WordPress website administrators using the RSS Aggregator by Feedzy plugin should update to version 4.4.3 immediately to address this critical vulnerability. Additionally, it is advisable to review and adjust user permissions and monitor website activity to prevent potential exploitation.
Stay safe and informed,
OP Innovate Research Team.
