The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server‑Side Request Forgery in all versions up to and including 5.3.1. The flaw stems from inadequate validation of user‑supplied URLs before they are passed to PHP's getimagesize() function within the Elementor widget integration. An attacker who can authenticate with at least Contributor‑level access and who has permission to use Elementor can supply a crafted value for the fifu_input_url parameter, causing the web application to initiate arbitrary HTTP requests from the server. This permits the attacker to probe internal network services, read sensitive data from protected resources, and potentially modify or compromise internal systems depending on the target endpoints. The primary impact is confidentiality and integrity violation of internal resources through a server‑side request, a classic Server‑Side Request Forgery (SSRF) vulnerability.

WordPress sites that have the Featured Image from URL (FIFU) plugin installed with version 5.3.1 or earlier. The vulnerability is present in the Elementor widget integration of the plugin. Administrators should verify the installed plugin version on all sites.

The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1 % suggests that the probability of exploitation in the wild is very low. The flaw can be exploited only by users who can authenticate and hold Contributor or higher privileges within WordPress, which limits the attacker’s initial access. Consequently the threat is primarily internal; an attacker with such permissions could use the plugin to reach internal services, but a remote unauthenticated attacker cannot exploit the issue directly. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit evidence is known at this time. Nonetheless, because it enables SSRF, institutions that expose internal resources should consider it a moderate risk if an attacker gains Contributor access.