Vulnerabilities and security researches forfeatured-image-from-url featured-image-from-url

Oct 11, 2025

CVE, Research URL: CVE-2025-10037
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Sep 26, 2025
Research Description: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

Jul 09, 2024

CVE, Research URL: CVE-2024-37516
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2.
Affected versions: Min -, max -.
Status: vulnerable

Jul 02, 2024

CVE, Research URL: CVE-2024-37276
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.1.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2024-1496
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Feb 29, 2024
Research Description: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: c5b410e4120824e037e364466d4c7e1489a4eda8
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Dec 27, 2019
Research Description: Featured Image from URL (FIFU) [featured-image-from-url] < 2.7.8 (closed) WordPress Featured Image from URL plugin <= 2.7.7 - Missing Access Controls on REST routes vulnerability Missing Access Controls on REST routes vulnerability found in WordPress Featured Image from URL plugin (versions <= 2.7.7).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-2278
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Aug 01, 2022
Research Description: The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-2241
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Aug 01, 2022
Research Description: The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-6561
Home page URL: Security reports for Featured Image from URL (FIFU)
Application: Featured Image from URL (FIFU)
Date: Jan 11, 2024
Research Description: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable