It has been discovered that RSS widgets are susceptible to XML external entity processing.
This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.