CVE-2025-13393 affects Featured Image from URL FIFU and it enables a Contributor level user to coerce the WordPress server into making outbound requests to attacker chosen destinations during the Elementor save workflow. The vulnerability is blind server side request forgery because the plugin does not return the fetched response body to the attacker. Instead it triggers a network request as a side effect of extracting image dimensions. This is still high impact because the attacker gains a reliable primitive to reach internal hosts that are not accessible from the internet, which can be used for reconnaissance and chaining. Install base around 70k plus makes this relevant to real sites where Contributors and Authors are common in editorial and marketing teams.
| CVE | CVE-2025-13393 |
| Plugin Version | Featured Image from URL (FIFU) <= 5.3.1 |
| All Time | 7 244 323 |
| Active installations | 70 000+ |
| Publicly Published | January 9, 2026 |
| Last Updated | January 9, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13393 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/featured-image-from-url/featured-image-from-url-fifu-531-authenticated-contributor-server-side-request-forgery-via-fifu-input-url https://t.me/cleantalk_researches/385 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 5, 2025 | Plugin testing and vulnerability detection in the FIFU have been completed |
| November 5, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 9, 2026 | Registered CVE-2025-13393 |
Discovery of the Vulnerability
The root cause is a design choice in the Elementor integration. When a page is saved, the plugin traverses the saved widget tree and processes its custom widget settings. In the widget handler, it reads the user controlled Image URL field and calls getimagesize on that URL to extract width and height. In PHP, when stream wrappers are enabled and allow_url_fopen is on, getimagesize can fetch remote resources over HTTP and HTTPS. The plugin does not implement host restrictions, it does not block loopback or private ranges, and it does not enforce a strict scheme allow list. This means the server will attempt to connect to whatever the Contributor provides, including localhost services or cloud metadata IP ranges, and the request will originate from the WordPress server network context.
Understanding of SSRF attack’s
SSRF in WordPress often appears in media related features because plugins try to be helpful and auto fetch remote images for previews, dimension checks, caching, or import. The mistake is treating any URL input like a normal image link and forgetting that the server has privileged network visibility. In real deployments the WordPress server can reach databases, cache nodes, internal admin panels, monitoring dashboards, and cloud metadata endpoints that are intentionally blocked from the public internet. Even when the SSRF is blind, it can still reveal whether a port is open by timing differences, it can trigger state changing requests against internal HTTP interfaces, and it can leak data through side channels like DNS logs or HTTP canaries. This is why blind SSRF is still dangerous. It provides a stealthy internal network probe that is hard to detect in the UI because the attacker never sees the fetched content directly.
Exploiting the SSRF Vulnerability
To exploit CVE-2025-13393, an attacker with Contributor+ any cookies:
POC:
1) Create a new Elementor Post from Contributor+ 2) Add here a FIFU Widget 3) Change "Image URL" field to "http://127.0.0.1:8888/poc" 4) Save Post and check handler____
The most realistic risk is internal service discovery and pivoting. A low privilege Contributor account is frequently obtained through phishing, password reuse, or open registrations on content sites. With this bug, that foothold becomes a way to scan internal hosts. An attacker can probe localhost ports to find exposed admin tools, debug endpoints, or internal APIs. In cloud environments they can target metadata endpoints to attempt token retrieval, and even if the body is not returned, they can still cause requests that might be logged or that trigger follow on actions. Another realistic scenario is targeting internal WordPress adjacent services like Redis, Memcached, Elasticsearch, or monitoring panels that are only bound to the private network. Even blind SSRF can enable attack chains because it helps identify what exists and where, which reduces uncertainty for later exploitation. The stealthy nature is important. Requests are triggered by normal save actions, so they can blend into routine editorial activity and appear as ordinary image processing.
Recommendations for Improved Security
The correct fix is to treat Image URL as untrusted input and enforce strict network and scheme restrictions before any server side fetch occurs. The plugin should allow only http and https schemes and should explicitly block loopback, link local, and private network ranges including 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges, and it should resolve DNS and recheck the final IP to prevent bypass via DNS rebinding. It should also implement timeouts and size limits and preferably avoid using getimagesize on remote URLs at all. A safer pattern is to fetch remote images only through WordPress HTTP APIs with explicit host validation and to store dimensions only after a validated download. Site owners can reduce exposure by limiting who can edit with Elementor and who can use FIFU widgets, and by restricting allow_url_fopen or applying egress filtering at the infrastructure layer so that even if a plugin makes a request, the server cannot reach sensitive internal destinations. Monitoring outbound requests triggered by wp-admin save actions is also valuable because it can reveal misuse early.
By taking proactive measures to address IA like CVE-2025-13393 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.