Description
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
Published: 2025-05-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Apply Patch
AI Analysis

Impact

The Featured Image Plus plugin is missing an authorization check in its fip_save_attach_featured handler. As a result, any authenticated user with Subscriber or higher privileges can trigger this function and change the featured image on arbitrary posts. This flaw allows an attacker to alter multimedia content, potentially misleading site visitors or facilitating social engineering attacks. The weakness stems from improper access control (CWE‑284) and insufficient verification of user capabilities (CWE‑862).

Affected Systems

The vulnerability affects WordPress sites running the Featured Image Plus plugin version 1.6.4 and earlier. It is relevant to all installations of the plugin under the Krasenslavov author, including those using Bulk Edit Featured Images, Unsplash, and Alt Text Manager components. Users should verify that they are running a patched version or remove the plugin.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog. However, because the flaw requires only authenticated access and involves existing Subscriber-level permissions, an attacker who gains or has such access can exploit it with minimal effort. The impact is limited to post featured images and does not expose confidential data or enable remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Featured Image Plus plugin to version 1.6.5 or later, which includes the missing capability check.
  • If an update is not feasible immediately, restrict Subscriber and Contributor roles from accessing the block editor or related settings, or temporarily revoke their capabilities until the patch is installed.
  • Verify that no other plugin functions lack proper authorization checks by reviewing the code or consulting with the plugin developer.

Generated by OpenCVE AI on April 22, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16472 The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post. The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
Title Featured Image Plus <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update Featured Image Plus <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update
References

Wed, 04 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Krasenslavov
Krasenslavov featured Image Plus
Weaknesses CWE-862
CPEs cpe:2.3:a:krasenslavov:featured_image_plus:*:*:*:*:*:wordpress:*:*
Vendors & Products Krasenslavov
Krasenslavov featured Image Plus

Fri, 30 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 May 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
Title Featured Image Plus <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Krasenslavov Featured Image Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:16.714Z

Reserved: 2025-05-08T12:38:03.594Z

Link: CVE-2025-4431

cve-icon Vulnrichment

Updated: 2025-05-30T13:56:12.522Z

cve-icon NVD

Status : Modified

Published: 2025-05-30T08:15:19.383

Modified: 2026-04-08T17:20:44.770

Link: CVE-2025-4431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses