VYPR

Featured Image From URL

by WordPress

Source repositories

CVEs (12)

  • CVE-2024-1496MedFeb 29, 2024
    risk 0.42cvss 6.4epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2023-6561MedJan 11, 2024
    risk 0.42cvss 6.4epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2024-37516MedNov 1, 2024
    risk 0.41cvss 6.3epss 0.00

    Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2.

  • CVE-2025-7400MedOct 7, 2025
    risk 0.35cvss 6.4epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2025-9985MedSep 26, 2025
    risk 0.35cvss 5.3epss 0.11

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information…

  • CVE-2025-9984MedSep 26, 2025
    risk 0.34cvss 5.3epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read…

  • CVE-2024-37276MedNov 1, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.1.

  • CVE-2025-10037MedSep 26, 2025
    risk 0.32cvss 4.9epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient…

  • CVE-2025-10036MedSep 26, 2025
    risk 0.32cvss 4.9epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2025-13393MedJan 10, 2026
    risk 0.21cvss 4.3epss 0.00

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor…

  • CVE-2022-2278Aug 1, 2022
    risk 0.00cvss epss 0.00

    The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed…

  • CVE-2022-2241Aug 1, 2022
    risk 0.00cvss epss 0.01

    The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and…

VYPR — Vulnerability Intelligence