CVE-2025-11128 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WordPress plugin 'RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator,' maintained by themeisle. The vulnerability exists in all versions up to and including 5.1.0, specifically within the 'feedzy_sanitize_feeds' function. SSRF allows an attacker to abuse the server's ability to make HTTP requests to arbitrary locations, potentially including internal network resources that are not otherwise accessible externally. The flaw requires the attacker to have authenticated access at least at the Subscriber level, which is a relatively low privilege level in WordPress, making exploitation feasible in scenarios where user registration is open or compromised credentials are available. The CVSS 3.1 base score is 5.0 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C) with only confidentiality impacted (C:L). This means the attacker can read some internal information but cannot alter data or cause denial of service. Although no public exploits are known, the vulnerability could be leveraged for internal reconnaissance, accessing sensitive internal services, or pivoting within a network. The plugin is popular among WordPress users for aggregating RSS feeds and YouTube videos, making it a common target. The lack of an official patch at the time of disclosure increases the urgency for mitigations. The vulnerability highlights the risk of SSRF in web applications that process external URLs without sufficient validation or access controls.

For European organizations, this SSRF vulnerability poses a risk of unauthorized internal network access, potentially exposing sensitive internal services such as intranet portals, metadata services in cloud environments, or internal APIs. Attackers with low-level authenticated access could exploit this to gather intelligence on internal infrastructure, which could be a precursor to more severe attacks like lateral movement or data exfiltration. Organizations relying on WordPress sites with this plugin, especially those allowing user registrations or with weak access controls, are at increased risk. The impact is primarily confidentiality loss, as attackers can read internal resources but cannot modify or disrupt services directly. This could lead to exposure of sensitive configuration data, internal IP addresses, or other information that aids further compromise. Given the widespread use of WordPress in Europe, particularly in small and medium enterprises and public sector websites, the vulnerability could affect a broad range of targets. The medium severity score reflects moderate risk, but the ease of exploitation by low-privilege users and the potential for internal network reconnaissance elevate the threat level. Organizations in regulated sectors such as finance, healthcare, and government should be particularly vigilant due to the sensitivity of internal data potentially exposed.

1. Immediately review user roles and permissions on WordPress sites using the Feedzy plugin to restrict Subscriber-level access where possible, limiting the pool of potential attackers. 2. Disable or uninstall the RSS Aggregator by Feedzy plugin if it is not essential to reduce attack surface. 3. Monitor web server outbound traffic and implement network egress filtering to restrict HTTP requests originating from the web server to only trusted external endpoints, blocking requests to internal IP ranges. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns or unusual feed URL parameters. 5. Keep abreast of themeisle’s updates and apply security patches promptly once released for this vulnerability. 6. Conduct internal audits of WordPress plugins and remove or replace those with known vulnerabilities or poor security track records. 7. Use network segmentation to isolate web servers from sensitive internal services, minimizing the impact of SSRF exploitation. 8. Implement logging and alerting on unusual internal requests initiated by the web application to detect potential exploitation attempts early.