WordPress Featured Image from URL Plugin Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Featured Image from URL (FIFU) plugin for WordPress, affecting all versions through 5.3.1. The vulnerability arises from inadequate validation of user-supplied URLs before they are passed to the getimagesize() function within the Elementor widget integration. This flaw allows authenticated attackers with Contributor-level access or higher to send web requests to arbitrary locations from the web application. Exploitation can be used to query and modify information from internal services by leveraging the fifu_input_url parameter in the FIFU Elementor widget, provided the attacker has permission to use Elementor.

Impact

Exploitation of this vulnerability could allow authenticated attackers to perform Server-Side Request Forgery (SSRF), potentially leading to unauthorized access or modification of information from internal services.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the Elementor integration of the Featured Image from URL (FIFU) plugin. By entering a URL that bypasses validation into the 'fifu_input_url' parameter of a FIFU Elementor widget, it is possible to initiate a server-side request to an arbitrary location. This can be done by selecting a location that the server can access, such as a local or internal service, to demonstrate the SSRF vulnerability.

Remediation

Users are advised to update the Featured Image from URL (FIFU) plugin to version 5.3.2 or later.