Description
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2.
Published: 2025-10-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting (XSS)
Action: Patch Update
AI Analysis

Impact

The featured image URL plugin for WordPress allows authenticated users with Contributor-level access or higher to store arbitrary JavaScript code in the custom fields associated with a post’s featured image. The stored code is not properly sanitized or escaped and executes in the browser of any user who views the affected post, potentially leading to session hijacking, credential theft, or defacement of the site. This weakness is a classic Stored Cross‑Site Scripting vulnerability identified as CWE‑79 and can compromise confidentiality, integrity, and availability of the site’s web content.

Affected Systems

The vulnerability applies to all releases of the Featured Image from URL (FIFU) plugin by marceljm up to and including version 5.2.7. A partial mitigation was introduced in version 5.2.2, but the flaw remains until at least 5.2.7. WordPress sites running any of these versions are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires authenticated access with Contributor or higher privileges; an attacker must obtain such credentials or exploit them opportunistically. Once the malicious payload is stored it will be delivered to all visitors of the impacted post.

Generated by OpenCVE AI on April 20, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Feature Image from URL (FIFU) plugin to any release newer than 5.2.7, which removes the stored‑XSS flaw.
  • If an update is not immediately available, temporarily deactivate the plugin to stop the storage of malicious content until a fix is released.
  • Restrict Contributor and higher roles from editing or setting featured image fields through the plugin until an official patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress
Vendors & Products Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress

Tue, 07 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 22:45:00 +0000

Type Values Removed Values Added
Description The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2.
Title Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fifu Featured Image From Url
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:10.661Z

Reserved: 2025-07-09T18:44:13.906Z

Link: CVE-2025-7400

cve-icon Vulnrichment

Updated: 2025-10-07T18:14:32.823Z

cve-icon NVD

Status : Deferred

Published: 2025-10-07T08:15:35.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses