CVE-2025-11917
WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed
CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th
The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
| CWE | CWE-918 |
| Vendor | etruel |
| Product | wpematico rss feed fetcher |
| Published | Nov 5, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for etruel wpematico rss feed fetcher
Be the first to know when new medium vulnerabilities affecting etruel wpematico rss feed fetcher are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
etruel / WPeMatico RSS Feed Fetcher
0 โค 2.8.11
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1c6377-c2a7-4344-86bd-d2797db19469?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/campaign_edit.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/wpematico_functions.php#L1249 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/wpematico_functions.php#L1260 github.com: https://github.com/etruel/wpematico/commit/7a281dcfc0868490d62caee54f3b743708fed7cf
Credits
Rafshanzani Suhada