SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin

On February 1st, 2024, during the second Wordfence Bug Bounty Extravaganza, they received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $329.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted Themeisle on February 8, 2024, and received a response on the same day. After providing full disclosure details, the developer released a patch on February 9, 2024. We would like to commend Themeisle for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of RSS Aggregator by Feedzy, which is version 4.4.3, as soon as possible.

Source: https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-in-rss-aggregator-by-feedzy-wordpress-plugin

Posted in Vulnerability.