CVE-2024-0628: 
WordPress vulnerability analysis and mitigation

The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 4.23.5. The vulnerability was discovered and reported by Wordfence, with the CVE identifier CVE-2024-0628. The vulnerability affects the RSS feed source functionality in the admin settings of the plugin (Wordfence Advisory).

The vulnerability allows authenticated attackers with administrator-level access to make web requests to arbitrary locations originating from the web application. This SSRF vulnerability has been assigned a CVSS v3.1 Base Score of 3.8 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. The weakness is classified as CWE-918 (Server-Side Request Forgery) (NVD Database).

The vulnerability can be exploited to query and modify information from internal services. Given that the attack requires administrator-level access, the impact is somewhat limited but still significant as it could potentially be used to bypass internal network restrictions and access sensitive internal resources (NVD Database).

A patch has been released to address this vulnerability. Users are advised to update their WP RSS Aggregator plugin to a version newer than 4.23.5 (WordPress Plugin).