Description
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts.
Published: 2025-09-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The Featured Image from URL (FIFU) plugin for WordPress allows unauthenticated attackers to read private or password‑protected posts because a capability check is missing on the fifu_api_debug_posts() function. The primary impact is the unauthorized disclosure of content that should be protected by post visibility settings. This weakness is an authorization failure (CWE‑862).

Affected Systems

WordPress sites running the Featured Image from URL (FIFU) plugin by marceljm with versions 5.2.7 or earlier. The vulnerability exists in all releases up to and including 5.2.7.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the vulnerable endpoint by sending a direct HTTP request to fifu_api_debug_posts() (often via /wp-admin/admin-ajax.php), bypassing any authentication checks and retrieving full post content. Although the risk is moderate, the lack of authorization allows public exposure of content that the site owner considers private, and the vulnerability remains actively exploitable until the plugin is updated.

Generated by OpenCVE AI on April 21, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Featured Image from URL (FIFU) plugin to a version newer than 5.2.7 that includes the missing authorization check.
  • If an update is delayed, block or remove access to the fifu_api_debug_posts() endpoint by disabling the debug.php file or adding a firewall rule that rejects requests to the debug API.
  • Review and tighten WordPress user roles so that only appropriate accounts have permissions to edit or view private posts, and monitor logs for suspicious requests to the debug API.

Generated by OpenCVE AI on April 21, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31213 The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress
Vendors & Products Fifu
Fifu featured Image From Url
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts.
Title Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Fifu Featured Image From Url
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:48.955Z

Reserved: 2025-09-04T13:32:38.868Z

Link: CVE-2025-9984

cve-icon Vulnrichment

Updated: 2025-09-26T19:36:20.888Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T05:15:36.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses