WordPress Auto Featured Image Plugin Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Auto Featured Image (Auto Post Thumbnail) plugin for WordPress, affecting all versions through 4.1.7. The vulnerability arises in the upload_to_library function, allowing authenticated attackers with Author-level access or higher to make web requests to arbitrary locations from the web application. This could be exploited to query and modify information from internal services. Additionally, on Cloud instances, the vulnerability could be used to retrieve metadata.

Impact

Exploitation of this vulnerability could lead to unauthorized web requests being made from the WordPress application to internal services, potentially allowing attackers to access or modify sensitive information. On Cloud instances, this could include unauthorized retrieval of metadata.

Remediation

Users are advised to update the Auto Featured Image (Auto Post Thumbnail) plugin to version 4.2.0 or a newer patched version.