Vulnerabilities and security researches forauto-post-thumbnail auto-post-thumbnail

Jun 07, 2024

CVE, Research URL: CVE-2024-33629
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: Apr 29, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Creative Motion Auto Featured Image (Auto Post Thumbnail).This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through 4.0.0.
Affected versions: max 4.1.4.
Status: vulnerable

CVE, Research URL: CVE-2021-24932
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: Dec 13, 2021
Research Description: The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.
Affected versions: max 3.9.16.
Status: vulnerable

CVE, Research URL: CVE-2023-0477
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: Mar 13, 2023
Research Description: The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.
Affected versions: max 3.9.16.
Status: vulnerable

CVE, Research URL: CVE-2023-7073
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: May 31, 2024
Research Description: The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.0 via the upload_to_library AJAX action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 4.0.0.
Status: vulnerable

Jul 15, 2024

CVE, Research URL: CVE-2024-38719
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in Creative Motion Auto Featured Image (Auto Post Thumbnail) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through 4.1.2.
Affected versions: max 4.1.3.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-10145
Home page URL: Security reports for Auto Featured Image (Auto Post Thumbnail)
Application: Auto Featured Image (Auto Post Thumbnail)
Date: Oct 28, 2025
Research Description: The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieval.
Affected versions: max 4.2.0.
Status: vulnerable