CVE-2025-9985 MEDIUM

CVE-2025-9985: Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File

Vendor Marceljm
Product Featured Image from URL (FIFU)
Weakness CWE-532 · Sensitive info in logs
Published September 26, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.

Explanation of Vulnerability in Simple Terms

02Summary

Featured Image from URL (FIFU) versions 5.2.7 and earlier expose sensitive information through improper logging or data exposure. An attacker on the network can read non-public data without authentication. The vulnerability affects all installations of the plugin up to the stated version. Update immediately to a version newer than 5.2.7.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without logging in.

Potential impact on your site

04Site Impact

Confidential data may be exposed to unauthenticated attackers on the internet.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 26, 2025 CVE published
April 8, 2026 Record updated