### [CVE-2024-9583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9583)
![](https://img.shields.io/static/v1?label=Product&message=RSS%20Aggregator%20%E2%80%93%20RSS%20Import%2C%20News%20Feeds%2C%20Feed%20to%20Post%2C%20and%20Autoblogging&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-862%20Missing%20Authorization&color=brightgreen)

### Description

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked.

### POC

#### Reference
- https://www.wordfence.com/threat-intel/vulnerabilities/id/126c77fa-11c5-431f-8fc9-0375ed6c8a91?source=cve

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/cyb3r-w0lf/nuclei-template-collection
- https://github.com/fkie-cad/nvd-json-data-feeds