Description
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-12-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file uploads potentially enabling remote code execution
Action: Apply patch
AI Analysis

Impact

The Featured Image via URL plugin for WordPress lacks file-type validation in all releases up to 0.1, allowing an authenticated attacker with Contributor or higher access to upload any file to the server. Uploaded files can be crafted to contain malicious code, which, if placed in an executable location, may lead to remote code execution. The consequence is a compromise of data confidentiality, integrity, and availability on the affected site.

Affected Systems

The vulnerability affects all installations of the Featured Image via URL WordPress plugin with version 0.1 or older. Any site that has installed this plugin and grants Contributor or higher roles to users is at risk.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity, yet the EPSS score of less than 1% indicates that the exploit probability is currently low, and the issue is not listed in CISA's KEV catalog. The attack vector requires authenticated access; attackers gain upload privileges through the plugin's Contributor or higher capabilities. Because the flaw allows arbitrary file uploads, the risk level warrants immediate attention.

Generated by OpenCVE AI on April 22, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Featured Image via URL plugin to the latest release that implements proper file-type validation.
  • If an update is not available, either disable or remove the plugin until a fix is released.
  • Secure the upload directory by setting restrictive file permissions and configuring a web application firewall to block unexpected file uploads and enforce MIME type checks.

Generated by OpenCVE AI on April 22, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:15.786Z

Reserved: 2025-10-24T13:03:55.950Z

Link: CVE-2025-12153

cve-icon Vulnrichment

Updated: 2025-12-05T14:13:35.737Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:05.707

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses