WordPress Plugin Vulnerabilities

Auto Featured Image (Auto Post Thumbnail) < 4.2.0 - Authenticated (Author+) Server-Side Request Forgery

Description

The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieval.

Affects Plugins

Plugin icon
auto-post-thumbnail
Fixed in 4.2.0

References

CVE
CVE-2025-10145
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93acfae6-470b-4637-b76b-e1162b80253f

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
897543f9-0bf1-4f04-a7f9-40897c013d00

Timeline

Publicly Published
2025-10-27 (about 6 months ago)
Added
2025-10-27 (about 6 months ago)
Last Updated
2025-10-28 (about 6 months ago)

Other

Published
Title
Published
2025-03-24
Title
WP Compress < 6.30.16 - Unauthenticated Server-Side Request Forgery via init Function
Published
2025-11-18
Title
AI Engine < 3.1.9 - Authenticated (Editor+) Server-Side Request Forgery
Published
2026-03-20
Title
Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
Published
2026-01-03
Title
Smart Auto Upload Images – Import External Images < 1.2.3 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-03-27
Title
Metform < 3.9.3 - Admin+ SSRF