The Featured Image from Content WordPress plugin, before version 1.7, contains an authenticated server‑side request forgery flaw. Authenticated users with author‑level permissions can trigger the plugin’s save_post routine to make the server fetch arbitrary URLs. Because the server performs the request using uncapped input, the attacker can extract internal HTTP resources and, through insecure file write operations, place the retrieved content into the site’s upload directory. This creates a risk of internal data disclosure and may be leveraged for further exploitation.

Affected systems are WordPress sites that have the Featured Image from Content plugin installed in any release earlier than 1.7. The plugin is maintained by Dhrumil Kumbhani. The vulnerability is present in all prior versions and can be exercised by users who have author or higher privileges within the WordPress installation.

The CVSS base score of 5.3 reflects moderate severity, and the EPSS score below 1% indicates a low likelihood of exploitation at present. Because the flaw requires authenticated access with at least author privileges and involves outbound HTTP requests, attackers would need to compromise the user account or exploit another vulnerability that provides such privileges. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, further suggesting limited public exploitation.