Featured Image from URL (FIFU) < 5.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields | CVE 2025-7400 | Plugin Vulnerabilities

Description

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2.

Affects Plugins

featured-image-from-url

Fixed in 5.2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a4eeaf05-ec86-4d99-bc00-81f7f99e88ce

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Yudha - DJ

Verified

No

WPVDB ID

28a1d791-a5b5-4388-8834-8bd7b799f75c

Timeline

Publicly Published

2025-10-06 (about 8 months ago)

Added

2025-10-06 (about 8 months ago)

Last Updated

2025-10-07 (about 8 months ago)

Other

Published

Title

Published

2021-08-11

Title

FV Flowplayer Video Player < 7.5.3.727 - Reflected Cross-Site Scripting

Published

2026-05-21

Title

CBX 5 Star Rating & Review < 1.0.8 - Reflected Cross-Site Scripting via 'page' Parameter

Published

2026-06-08

Title

WPZOOM Portfolio Lite – Filterable Portfolio Plugin < 1.4.22 - Reflected XSS

Published

2018-01-01

Title

Smart Google Code Inserter <= 3.4 - Unauthenticated Cross-Site Scripting (XSS)

Published

2023-04-25

Title

Tiempo.com <= 0.1.2 - Stored XSS via CSRF