Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total9
Critical0
High0
Medium9
Reset
Showing 1-9 of 9 records
Threat Entry Updated 2026-01-13

CVE-2025-13393 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted…

PLUGIN Featured Image From Url

CVE-2025-13393

MEDIUM CVSS 4.3 2026-01-10
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-9985 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.

PLUGIN Featured Image From Url

CVE-2025-9985

MEDIUM CVSS 5.3 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-9984 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts.

PLUGIN Featured Image From Url

CVE-2025-9984

MEDIUM CVSS 5.3 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-10037 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Featured Image From Url

CVE-2025-10037

MEDIUM CVSS 4.9 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-10036 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Featured Image From Url

CVE-2025-10036

MEDIUM CVSS 4.9 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-1496 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Featured Image From Url

CVE-2024-1496

MEDIUM CVSS 6.4 2024-02-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6561 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Featured Image From Url

CVE-2023-6561

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2278 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Featured Image From Url

CVE-2022-2278

MEDIUM CVSS 4.8 2022-08-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2241 - Featured Image From Url Plugin

The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues

PLUGIN Featured Image From Url

CVE-2022-2241

MEDIUM CVSS 6.1 2022-08-01
Open Full Technical Breakdown
Scroll to top