Server-Side Request Forgery Vulnerability in Featured Image Plus Plugin for WordPress
CVE-2025-5818

5.5MEDIUM

Key Information:

Vendor: WordPress
Status: Featured Image Plus – Quick & Bulk Edit With Unsplash
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-5818?

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) flaw. This vulnerability affects all versions up to and including 1.6.4 and arises from the fip_get_image_options() function. Authenticated users with administrator-level access can exploit this vulnerability to initiate web requests to arbitrary endpoints, thereby enabling potential queries and modifications to internal services. This could lead to serious security breaches, allowing attackers to access sensitive information or manipulate system resources.

Affected Version(s)

Featured Image Plus – Quick & Bulk Edit with Unsplash * <= 1.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/featured-image...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
Jun 6, 2025

Credit

ch4r0n