Description
The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-09-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery allowing Contributor‑level users to query or modify internal services
Action: Patch Promptly
AI Analysis

Impact

The Auto Save Remote Images (Drafts) plugin for WordPress contains a Server‑Side Request Forgery flaw in its fetch_images() function. An authenticated user with Contributor or higher access can supply arbitrary URLs for the plugin to retrieve on behalf of the server. The lack of input validation enables the attacker to target internal networks, enabling either reconnaissance or active modification of services behind the web application. This vulnerability maps to CWE‑918.

Affected Systems

Any WordPress instance running the fernandiez Auto Save Remote Images (Drafts) plugin version 1.0.9 or earlier is affected. Sites that have upgraded beyond the 1.0.9 release are not vulnerable, but the exact patched version is not specified in the available data.

Risk and Exploitability

The CVSS score of 6.4 classifies the problem as moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw only requires a Contributor‑level login, any site that permits such users is at risk of internal system exposure if the server can reach internal IP ranges. The required skill level is low for an authenticated attacker, which increases the practical threat.

Generated by OpenCVE AI on April 21, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Auto Save Remote Images (Drafts) plugin to the latest version available from the vendor; the patch removes the vulnerable fetch_images() call.
  • If an immediate upgrade is impossible, constrain the plugin’s functionality so only administrators can activate or use fetch_images(), effectively blocking Contributor‑level access to the vulnerable endpoint.
  • Configure the web server or network perimeter to block outbound HTTP/HTTPS traffic originating from the WordPress application to private IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8, thereby preventing the server from contacting internal services via the flaw.

Generated by OpenCVE AI on April 21, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27617 The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Thu, 11 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Auto Save Remote Images (Drafts) <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:40.900Z

Reserved: 2025-07-18T19:44:56.488Z

Link: CVE-2025-7843

cve-icon Vulnrichment

Updated: 2025-09-10T20:30:08.911Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:45.637

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses