CVE-2025-11128 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the WordPress plugin 'RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator' developed by themeisle. The vulnerability exists in all versions up to and including 5.1.0 within the 'feedzy_sanitize_feeds' function. This function fails to properly validate or sanitize user-supplied input that controls URLs for feed fetching, allowing authenticated users with as low as Subscriber-level privileges to induce the server to make arbitrary HTTP requests. Because the requests originate from the server, attackers can potentially access internal network resources that are otherwise inaccessible externally, such as internal APIs, metadata services, or private endpoints. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 base score of 5.0, reflecting medium severity with network attack vector, low attack complexity, and privileges required. No known public exploits have been reported yet. The scope is limited to WordPress sites running this plugin, but the impact can be significant if internal services contain sensitive information. The vulnerability primarily threatens confidentiality, as it can be used to gather information from internal systems, but does not directly affect integrity or availability of the WordPress site or backend services.

The primary impact of CVE-2025-11128 is unauthorized information disclosure from internal network resources accessible to the vulnerable WordPress server. Attackers with Subscriber-level access can leverage the SSRF to probe internal services, potentially exposing sensitive data such as internal APIs, cloud metadata endpoints, or private databases. This can lead to further attacks like privilege escalation or lateral movement if sensitive information is obtained. While the vulnerability does not directly compromise data integrity or availability, the information gained can facilitate more severe attacks. Organizations running WordPress sites with this plugin are at risk of internal network reconnaissance and data leakage. The medium CVSS score reflects moderate risk, but the ease of exploitation by low-privilege users increases the threat. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability should be addressed promptly to prevent future exploitation.

1. Update the 'RSS Aggregator by Feedzy' plugin to a patched version once available from the vendor to eliminate the SSRF vulnerability. 2. Until a patch is released, restrict user roles and permissions to minimize the number of users with Subscriber-level or higher access, especially on sites with untrusted users. 3. Implement web application firewall (WAF) rules to detect and block suspicious outbound HTTP requests originating from the WordPress server, particularly those targeting internal IP ranges or unusual endpoints. 4. Monitor server logs for unusual outbound requests or patterns indicative of SSRF exploitation attempts. 5. Harden internal network services by restricting access to sensitive endpoints and metadata services, using network segmentation and access controls to limit exposure if SSRF occurs. 6. Employ security plugins or custom code to sanitize and validate all user inputs related to feed URLs beyond the vulnerable function. 7. Conduct regular security audits and vulnerability scans on WordPress installations and plugins to detect outdated or vulnerable components.