Description
The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-11-11
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via image metadata injection
Action: Immediate Patch
AI Analysis

Impact

The Featured Image plugin for WordPress contains a stored cross‑site scripting flaw that allows attackers with administrator privileges to inject arbitrary JavaScript via image metadata. The plugin fails to sanitize and escape this input, so the malicious scripts are rendered and executed whenever a user views a page with the injected image. This can lead to session hijacking, phishing, defacement, or other client‑side compromise, affecting confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability affects all releases of the Featured Image plugin up to and including version 2.1. It only applies to multi‑site WordPress installations where the unfiltered_html capability has been disabled, and requires an authenticated user with administrator‑level permissions or higher. In practice, any site running the vulnerable plugin on version 2.1 or older that permits high‑privilege users to upload images is at risk.

Risk and Exploitability

With a CVSS score of 4.4 the flaw is categorized as moderate, and the EPSS score is below 1 %, indicating a low likelihood of exploitation at the moment. The flaw is not listed in the CISA KEV catalog, but attackers possessing sufficient administrative rights could leverage the stored XSS to compromise other site users. The attack vector is local to the site's admin account, so the risk is limited to privileged users, but once the attacker injects the payload, any visitor to the affected page can be affected.

Generated by OpenCVE AI on April 21, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Featured Image plugin to version 2.2 or later, which removes the vulnerable image metadata handling code.
  • If an upgrade is not immediately possible, remove image metadata from all existing images and disable the 'unfiltered_html' capability for non‑administrator roles to prevent the injection vector.
  • Implement a robust Content Security Policy that restricts script execution to trusted sources, thereby mitigating the impact of any XSS payload that may still be present.

Generated by OpenCVE AI on April 21, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 22 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mer.vin
Mer.vin featured Image
CPEs cpe:2.3:a:mer.vin:featured_image:*:*:*:*:*:wordpress:*:*
Vendors & Products Mer.vin
Mer.vin featured Image

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Featured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mer.vin Featured Image
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:18.804Z

Reserved: 2025-10-21T14:17:08.139Z

Link: CVE-2025-12019

cve-icon Vulnrichment

Updated: 2025-11-12T14:56:08.040Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T04:15:45.797

Modified: 2026-04-08T19:23:08.273

Link: CVE-2025-12019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses