What the vulnerability does
01Description
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations to retrieve sensitive internal data and store it in web-accessible upload directories.
Explanation of Vulnerability in Simple Terms
02Summary
Featured Image from Content versions before 1.7 contain a server-side request forgery vulnerability. An authenticated attacker can make the site send HTTP requests to internal or external systems on their behalf. The vulnerability requires low privileges and no user interaction. Impact is limited to integrity and availability of the affected component.
What an attacker can do
03Attacker Capabilities
Make the site send HTTP requests to internal or external systems on the attacker's behalf.
Potential impact on your site
04Site Impact
An authenticated attacker can probe internal systems or trigger actions on external services via your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
February 27, 2026
CVE published
May 11, 2026
Record updated