What the vulnerability does
01Description
The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.
Explanation of Vulnerability in Simple Terms
02Summary
The WP Filter & Combine RSS Feeds plugin for WordPress versions 0.4 and earlier does not properly check user permissions before allowing modifications to RSS feed settings. A logged-in user with low privileges can alter feed configurations that should be restricted to administrators, potentially redirecting or modifying feed content displayed on the site.
What an attacker can do
03Attacker Capabilities
Modify RSS feed settings and configurations without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter which RSS feeds are displayed and how they are combined, potentially injecting malicious content or breaking feed functionality.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
August 23, 2025
CVE published
April 8, 2026
Record updated