CVE-2025-11128: 
WordPress vulnerability analysis and mitigation

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 5.1.0. The vulnerability exists in the 'feedzy_sanitize_feeds' function and allows authenticated attackers with Subscriber-level access or above to make web requests to arbitrary locations from the web application, potentially exposing internal services (NVD). The vulnerability was discovered and disclosed on October 22, 2025.

The vulnerability is present in the 'feedzy_sanitize_feeds' function of the plugin and has been assigned a CVSS v3.1 score of 5.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. The issue stems from insufficient validation of feed URLs, allowing attackers to make server-side requests to arbitrary locations. The vulnerability is tracked as CWE-918 (Server-Side Request Forgery) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to initiate server-side requests to arbitrary locations. This could potentially be exploited to query information from internal services and access resources that should not be accessible from external networks (NVD).

Users should update to a version newer than 5.1.0 when available. The vulnerability has been identified and reported, but specific patch information is not yet publicly available (NVD).