Description
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-07-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery allowing authenticated administrators to cause the WordPress application to send arbitrary HTTP requests.
Action: Patch Now
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery that can be triggered through the fip_get_image_options() function in the Featured Image Plus plugin. An attacker who has administrator or higher privileges on a WordPress site can use this flaw to make web requests to arbitrary locations from the server, potentially exposing internal network services or sensitive data. The flaw does not directly compromise the server itself, but it enables the attacker to read or modify information from other systems reachable from the WordPress host, which can lead to data exfiltration or manipulation of internal services.

Affected Systems

WordPress sites that use the Featured Image Plus – Bulk Edit Featured Images, Unsplash & Alt Text Manager plugin version 1.6.6 or earlier. The plugin is maintained by krasenslavov. All site administrators with access to the plugin’s bulk edit features are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% suggests low exploitation probability so far. The flaw is not listed in CISA’s KEV catalog. Given that the vulnerability requires authenticated admin privilege, an attacker would need to compromise a site administrator account or exploit an existing admin login. Once an attacker obtains that access, they can trigger the SSRF via the bulk edit route and cause the server to perform arbitrary HTTP requests. No public exploit binaries are available, but the path could be reproduced by a site administrator or a malicious plugin author.

Generated by OpenCVE AI on April 22, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Featured Image Plus plugin to the latest available version that includes the fix.
  • If an update is not immediately possible, restrict outgoing HTTP connectivity from the WordPress installation or configure a firewall to block requests to internal network ranges.
  • Audit server logs for unexpected outbound traffic originating from WordPress and investigate any anomalies promptly.

Generated by OpenCVE AI on April 22, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22403 The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.4 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.4 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.4 - Authenticated (Admin+) Server-Side Request Forgery Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery
References

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Krasenslavov
Krasenslavov featured Image Plus
Wordpress
Wordpress wordpress
Vendors & Products Krasenslavov
Krasenslavov featured Image Plus
Wordpress
Wordpress wordpress

Wed, 23 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 23 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.4 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.4 - Authenticated (Admin+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Krasenslavov Featured Image Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:34.735Z

Reserved: 2025-06-06T16:49:08.190Z

Link: CVE-2025-5818

cve-icon Vulnrichment

Updated: 2025-07-23T15:54:01.209Z

cve-icon NVD

Status : Deferred

Published: 2025-07-23T03:15:24.627

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses