Headline
CVE-2020-36758: Changeset 2369394 for feedzy-rss-feeds/trunk/includes/admin/feedzy-rss-feeds-admin.php – WordPress Plugin Repository
The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2. This is due to missing or incorrect nonce validation on the save_feedzy_post_type_meta() function. This makes it possible for unauthenticated attackers to update post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
08/26/2020 10:56:16 AM (3 years ago)
codeinwp
Message:
Release v3.4.3
File:
- feedzy-rss-feeds/trunk/includes/admin/feedzy-rss-feeds-admin.php (1 diff)
Legend:
Unmodified
Added
Removed
feedzy-rss-feeds/trunk/includes/admin/feedzy-rss-feeds-admin.php
r2345315
r2369394
269
269
if (
270
270
empty( $\_POST ) ||
271
( isset( $\_POST\['feedzy\_category\_meta\_noncename'\] ) && ! wp\_verify\_nonce( $\_POST\['feedzy\_category\_meta\_noncename'\], FEEDZY\_BASEFILE ) ) ||
271
! wp\_verify\_nonce( $\_POST\['feedzy\_category\_meta\_noncename'\], FEEDZY\_BASEFILE ) ||
272
272
! current\_user\_can( 'edit\_post', $post\_id )
273
273
) {
Note: See TracChangeset for help on using the changeset viewer.