Description
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Featured Image from URL (FIFU) plugin for WordPress contains a vulnerability in its get_posts_with_internal_featured_image() function. The code does not properly escape user supplied parameters and does not prepare the SQL query, allowing an authenticated attacker with Administrator-level access to inject additional SQL statements. This can lead to extraction of sensitive database contents such as user credentials, configuration data, or other confidential information. The weakness is a classic SQL Injection flaw, classified as CWE‑89.

Affected Systems

The flaw affects the marceljm:Featured Image from URL (FIFU) plugin in all releases up to and including version 5.2.7. WordPress sites that have installed this plugin and have users with Administrator or higher roles are impacted.

Risk and Exploitability

According to the CVSS score of 4.9, the technical severity is moderate, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker has legitimate administrator credentials; the attack vector is therefore authenticated. If such access is available, the attacker can inject arbitrary SQL to read or exfiltrate data from the WordPress database.

Generated by OpenCVE AI on April 22, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Featured Image from URL plugin to the latest version (5.2.8 or later) once it becomes available, or apply the vendor’s official patch if released.
  • Restrict the plugin’s usage to trusted administrators only by reviewing user roles and removing unnecessary administrator accounts; consider disabling plugin features for non-privileged users.
  • Sanitize all data passed to the get_posts_with_internal_featured_image() function by escaping and using parameterized queries; test for residual SQL injection points in any custom code that interacts with the plugin.
  • As a temporary workaround, disable the plugin or the vulnerable function until a patch is applied to prevent injection attempts.

Generated by OpenCVE AI on April 22, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31214 The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 24 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress
Vendors & Products Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fifu Featured Image From Url
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:23.901Z

Reserved: 2025-09-05T17:13:27.772Z

Link: CVE-2025-10037

cve-icon Vulnrichment

Updated: 2025-09-26T19:35:24.754Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T05:15:36.167

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses