Description
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling unauthorized data extraction
Action: Patch immediately
AI Analysis

Impact

The Featured Image from URL plugin contains a SQL Injection flaw in the get_all_urls() function. Unsanitized user input is concatenated into a database query, and without proper preparation the attacker can embed additional SQL statements. The vulnerability is exploitable only by users who already have Administrator privileges or higher, allowing the injection of arbitrary queries that can read sensitive data from the database, thereby compromising confidentiality.

Affected Systems

WordPress sites running the marceljm Featured Image from URL plugin version 5.2.7 or earlier are vulnerable. The issue is present in every release up to and including 5.2.7. Users should verify that the plugin is upgraded beyond this version or removed entirely.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact, but the exploit probability indicated by EPSS being less than 1% suggests low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated administrator access, the attack vector is limited to privileged accounts; an attacker would need to compromise or hijack an admin account to leverage the injection vector.

Generated by OpenCVE AI on April 21, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Featured Image from URL plugin to a version newer than 5.2.7 to remove the vulnerable code path.
  • If an immediate upgrade is not possible, restrict the number of administrators and enforce strict role-based access controls to limit privileged account exposure.
  • Apply a database firewall or web application firewall rule that blocks unexpected multi-statement execution in SQL queries related to the plugin.

Generated by OpenCVE AI on April 21, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31211 The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 24 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress
Vendors & Products Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fifu Featured Image From Url
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:34.845Z

Reserved: 2025-09-05T17:06:55.850Z

Link: CVE-2025-10036

cve-icon Vulnrichment

Updated: 2025-09-26T19:46:47.868Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T05:15:35.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses