The vulnerability identified as CVE-2024-9583 affects the WordPress plugin 'RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging' developed by jeangalea. It arises from a missing authorization (CWE-862) in the function wprss_ajax_send_premium_support, which fails to verify whether the authenticated user has the necessary capabilities to send premium support requests. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and send support requests with arbitrary subject lines and email addresses. Consequently, an attacker can impersonate the legitimate site owner when communicating with the plugin's support team. Additionally, the vulnerability may expose license information, potentially aiding further attacks or unauthorized use. The vulnerability affects all plugin versions up to 4.23.12. The attack vector is remote over the network (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality to a limited extent (C:L), but does not affect integrity or availability. No patches or exploits are currently publicly available, but the flaw is published and known since October 2024.

The primary impact of this vulnerability is the unauthorized use of functionality by low-privileged authenticated users, which can lead to impersonation of the site owner when contacting premium support. This can undermine trust between the site owner and the plugin vendor's support team and may facilitate social engineering or phishing attacks. Leakage of license information could enable attackers to misuse or redistribute licenses fraudulently, potentially causing financial loss or service disruption for legitimate users. Although the vulnerability does not directly affect site integrity or availability, the ability to impersonate the site owner could be leveraged in more complex attack chains. Organizations using this plugin on WordPress sites, especially those with multiple user roles including Subscribers, are at risk. The impact is mostly reputational and operational rather than catastrophic, but it can be significant for businesses relying on premium support for critical plugin functionality.

To mitigate this vulnerability, site administrators should immediately update the RSS Aggregator plugin to a version that includes proper authorization checks once a patch is released by the vendor. Until then, restrict Subscriber-level user accounts or lower privileges from accessing the premium support functionality by disabling or limiting the plugin's AJAX endpoints via web application firewall (WAF) rules or custom code. Implement strict role-based access controls to minimize the number of users with authenticated access at Subscriber level or higher. Monitor outgoing support requests for unusual or suspicious content that could indicate exploitation attempts. Additionally, consider isolating or sandboxing the WordPress environment to limit the impact of compromised low-privilege accounts. Regularly audit user roles and permissions to ensure they align with the principle of least privilege. Finally, maintain communication with the plugin vendor for timely patch releases and security advisories.