Featured Image from URL (FIFU)

Vulnerabilities 15Slug featured-image-from-urlLatest version 5.3.3WordPress.org →

Minimum safe version

5.3.2

Update to 5.3.2 or later to address 15 fixable vulnerabilities

Latest available5.3.3 ✓

Medium 4.3

2026-01-10< 5.3.2

CVE-2025-13393

CVE EUVD Wordfence

Medium 5.3

2025-09-26< 5.2.8

Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure

EUVD Wordfence CVE

Medium 5.3

2025-09-26< 5.2.8

Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File

EUVD Wordfence CVE

Medium 4.9

2025-09-26< 5.2.8

CVE-2025-10036

CVE EUVD Wordfence

Medium 6.4

2025-10-06< 5.2.8

Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

Wordfence CVE

Medium 4.9

2025-09-26< 5.2.8

CVE-2025-10037

CVE EUVD Patchstack Wordfence

Medium 6.3

2024-11-01< 4.8.3

CVE-2024-37516

CVE Patchstack Wordfence

Medium 5.3

2024-11-01< 4.8.2

CVE-2024-37276

CVE Patchstack Wordfence

Medium 5.4

2024-02-20< 4.6.3

CVE-2024-1496

CVE Wordfence Patchstack WPScan

Medium 5.4

2024-12-15< 4.5.4

WordPress Featured Image from URL Plugin <= 4.5.3 is vulnerable to Cross Site Scripting (XSS)

Patchstack CVE Wordfence WPScan

N/A

< 2.7.8

Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes

WPScan

N/A

2019-12-24< 2.7.8

Featured Image from URL <= 2.7.7 - Missing Authorization on REST API routes

Wordfence

Medium 6.1

2022-08-01< 4.0.0

CVE-2022-2241

CVE Patchstack Wordfence WPScan

Medium 4.8

2022-08-01< 4.0.1

CVE-2022-2278

CVE Patchstack Wordfence WPScan

N/A

2019-12-27< 2.7.8

WordPress Featured Image from URL plugin <= 2.7.7 - Missing Access Controls on REST routes vulnerability

Patchstack