The RSS Aggregator by Feedzy WordPress plugin up to version 5.1.7 contains a missing authorization (CWE-862) vulnerability that allows authenticated users with contributor-level permissions or higher to bypass intended access controls. This is possible because the plugin does not properly verify that the user is authorized to perform certain actions. The nonce required to access sensitive sub-handlers is leaked to users with edit_posts capability through a localized JavaScript object injected into the block editor, enabling these users to create and execute RSS import jobs, purge posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names without additional privilege escalation. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a network attack vector with low complexity and requiring low privileges but no user interaction, impacting integrity but not confidentiality or availability. No patch or official remediation has been published as of the latest data.

This vulnerability allows authenticated users with contributor-level access or higher to perform unauthorized actions within the plugin, including creating and executing import jobs, deleting posts linked to any import job, clearing error logs, and enumerating taxonomy and metadata information. While it does not impact confidentiality or availability, it poses an integrity risk by enabling unauthorized content manipulation and data enumeration within the WordPress environment. No known exploitation in the wild has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access and higher to trusted users only. Monitor for updates from the vendor themeisle regarding patches or official mitigations. Avoid granting edit_posts capability to untrusted users to reduce exposure.