Featured Image from URL
Moderate fix1 remedy
cpe:2.3:a:fifu:featured_image_from_url:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.2.7
Featured Image from URL WordPress Plugin Missing Authorization Vulnerability Allows Access to Private Posts
Vulnerability
Patched
A vulnerability exists in the Featured Image from URL (FIFU) plugin for WordPress, in versions through 5.2.7. The issue arises from a lack of proper capability checks in the 'fifu_api_debug_posts()' function, which allows unauthenticated users to access private or password-protected posts. This unauthorized data access could lead to the disclosure of sensitive information.
Impact
Exploitation of this vulnerability could result in unauthorized access to private or password-protected posts, allowing attackers to read sensitive content that should be restricted.
Reproduction
To reproduce this vulnerability, send a GET request to the 'fifu_api_debug_posts' endpoint of the WordPress REST API, without authentication. The request can include the 'id' parameter to specify which post to access. Since the vulnerability allows reading private and password-protected posts, the response may include this sensitive content.
Remediation
Users are advised to update the Featured Image from URL (FIFU) plugin to version 5.2.8 or later.
Added: Sep 26, 2025, 5:21 AM
Updated: Sep 26, 2025, 5:21 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
2.5exploitability
8.6remediation
7.7relevance
0.6threat
4.8urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.