Which Featured Image from URL (FIFU) CVEs are tracked?

Featured Image from URL (FIFU) tracked CVEs include CVE-2022-2241, CVE-2025-7400, CVE-2024-1496, CVE-2023-6561, and CVE-2022-2278.

How many Featured Image from URL (FIFU) vulnerabilities have patch guidance?

13 of 13 tracked Featured Image from URL (FIFU) records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 13 known issues Latest disclosed Jan 09, 2026

Featured Image from URL (FIFU) Vulnerabilities

Review known vulnerability records for the WordPress plugin Featured Image from URL (FIFU) (`featured-image-from-url`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13393, CVE-2025-7400 and CVE-2025-9984, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jan 10, 2026

Priority CVE Quick Links

Fast paths into Featured Image from URL (FIFU) CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2022-2241 High 4.0.0

CVE-2022-2241 Featured Image from URL (FIFU) Cross-Site Request Forgery

Featured Image from URL (FIFU) <= 3.9.9 - Cross-Site Request Forgery

CVE-2025-7400 Medium 5.2.8

CVE-2025-7400 Featured Image from URL (FIFU) Stored Cross-Site Scripting

Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

CVE-2024-1496 Medium 4.6.3

CVE-2024-1496 Featured Image from URL (FIFU) Stored Cross-Site Scripting

Featured Image from URL (FIFU) <= 4.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url

CVE-2023-6561 Medium 4.5.4

CVE-2023-6561 Featured Image from URL (FIFU) Stored Cross-Site Scripting

Featured Image from URL (FIFU) <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text

CVE-2022-2278 Medium 4.0.1

CVE-2022-2278 Featured Image from URL (FIFU) Stored Cross-Site Scripting

Featured Image from URL (FIFU) <= 4.0.0 - Stored Cross-Site Scripting

CVE-2025-9984 Medium 5.2.8

CVE-2025-9984 Featured Image from URL (FIFU) Vulnerability

Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure

CVE-2025-9985 Medium 5.2.8

CVE-2025-9985 Featured Image from URL (FIFU) Sensitive Information Exposure

Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File

CVE-2024-37276 Medium 4.8.2

CVE-2024-37276 Featured Image from URL (FIFU) Vulnerability

Featured Image from URL <= 4.8.1 - Missing Authorization

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Featured Image from URL (FIFU) so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

13 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2025-13393, CVE-2025-7400 and CVE-2025-9984

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-13393 Medium Patch path listed

CVE-2025-13393: Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of us...

Published

Jan 09, 2026

Patch Status

5.3.2

Open CVE-2025-13393 Report

CVE-2025-7400 Medium Patch path listed

CVE-2025-7400: Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due...

Published

Oct 06, 2025

Patch Status

5.2.8

Open CVE-2025-7400 Report

CVE-2025-9984 Medium Patch path listed

CVE-2025-9984: Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions...

Published

Sep 25, 2025

Patch Status

5.2.8

Open CVE-2025-9984 Report

Known Vulnerabilities

Reports for Featured Image from URL (FIFU)

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13393

CVE-2025-13393: Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widge...

Published

Jan 09, 2026

Patched Release

5.3.2

Affected Versions

Versions up to 5.3.1

Next Step

Update to 5.3.2 or newer if supported.

Open CVE-2025-13393 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-7400

CVE-2025-7400: Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authen...

Published

Oct 06, 2025

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Open CVE-2025-7400 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-9984

CVE-2025-9984: Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read...

Published

Sep 25, 2025

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Open CVE-2025-9984 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-10037

CVE-2025-10037: Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat...

Published

Sep 25, 2025

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Open CVE-2025-10037 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-10036

CVE-2025-10036: Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL qu...

Published

Sep 25, 2025

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Open CVE-2025-10036 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-9985

CVE-2025-9985: Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information c...

Published

Sep 25, 2025

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Open CVE-2025-9985 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-37516

CVE-2024-37516: Featured Image from URL <= 4.8.2 - Missing Authorization

The Featured Image from URL plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the fifu_get_private_data_permissions_check() function in versions up to, and including, 4.8.2. This makes it possible for authenticated...

Published

Jul 05, 2024

Patched Release

4.8.3

Affected Versions

Versions up to 4.8.2

Next Step

Update to 4.8.3 or newer if supported.

Open CVE-2024-37516 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-37276

CVE-2024-37276: Featured Image from URL <= 4.8.1 - Missing Authorization

The Featured Image from URL plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fifu_save_sizes_api() function in versions up to, and including, 4.8.1. This makes it possible for unauthenticated attackers to update size...

Published

Jun 28, 2024

Patched Release

4.8.2

Affected Versions

Versions up to 4.8.1

Next Step

Update to 4.8.2 or newer if supported.

Open CVE-2024-37276 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1496

CVE-2024-1496: Featured Image from URL (FIFU) <= 4.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a...

Published

Feb 19, 2024

Patched Release

4.6.3

Affected Versions

Versions up to 4.6.2

Next Step

Update to 4.6.3 or newer if supported.

Open CVE-2024-1496 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-6561

CVE-2023-6561: Featured Image from URL (FIFU) <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated at...

Published

Dec 14, 2023

Patched Release

4.5.4

Affected Versions

Versions up to 4.5.3

Next Step

Update to 4.5.4 or newer if supported.

Open CVE-2023-6561 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-2278

CVE-2022-2278: Featured Image from URL (FIFU) <= 4.0.0 - Stored Cross-Site Scripting

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘input’ parameter in versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitr...

Published

Jul 05, 2022

Patched Release

4.0.1

Affected Versions

Versions up to 4.0.0

Next Step

Update to 4.0.1 or newer if supported.

Open CVE-2022-2278 Report Open CVE Reference

Plugin High Patched: Yes CVE-2022-2241

CVE-2022-2241: Featured Image from URL (FIFU) <= 3.9.9 - Cross-Site Request Forgery

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.9.9. This is due to missing or incorrect nonce validation on the fifu_update_menu_options function. This makes it possible for unauthenticated a...

Published

Jun 30, 2022

Patched Release

4.0.0

Affected Versions

Versions up to 3.9.9

Next Step

Update to 4.0.0 or newer if supported.

Open CVE-2022-2241 Report Open CVE Reference