CVE-2024-9265

CRITICAL EXPLOITED

Echo RSS Feed Post Generator <= 5.4.6 - Unauthenticated Privilege Escalation via Registration Role Manipulation

Title source: llm

Exploitation Summary

CVE-2024-9265 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator.

References (2)

Core 2

Core References

Product

https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c099f401-4b05-4532-8e31-af1b1dea7eca?source=cve

Scores

CVSS v3 9.8

EPSS 0.0060

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-10-01

CWE

CWE-269

Status published

Products (2)

CodeRevolution/Echo RSS Feed Post Generator < 5.4.6

coderevolution/echo_rss_feed_post_generator < 5.4.7

Published Oct 01, 2024

Tracked Since Feb 18, 2026