{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13393", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T01:08:40.615Z", "datePublished": "2026-01-10T13:47:35.750Z", "dateUpdated": "2026-04-08T17:17:36.479Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:36.479Z"}, "affected": [{"vendor": "marceljm", "product": "Featured Image from URL (FIFU)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor."}], "title": "Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121"}, {"url": "https://research.cleantalk.org/cve-2025-13393/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428744/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-11-19T01:27:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:28:05.078670Z", "id": "CVE-2025-13393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:28:15.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T18:28:05.078670Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:28:11.612Z"}}], "cna": {"title": "Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "marceljm", "product": "Featured Image from URL (FIFU)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T01:27:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121"}, {"url": "https://research.cleantalk.org/cve-2025-13393/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428744/"}], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:36.479Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13393", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:36.479Z", "dateReserved": "2025-11-19T01:08:40.615Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-10T13:47:35.750Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor."}, {"lang": "es", "value": "El plugin Featured Image from URL (FIFU) para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor en todas las versiones hasta la 5.3.1, inclusive. Esto se debe a una validaci\u00f3n insuficiente de las URLs proporcionadas por el usuario antes de pasarlas a la funci\u00f3n getimagesize() en la integraci\u00f3n del widget de Elementor. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, realicen peticiones web a ubicaciones arbitrarias originadas desde la aplicaci\u00f3n web y puede usarse para consultar y modificar informaci\u00f3n de servicios internos a trav\u00e9s del par\u00e1metro fifu_input_url en el widget FIFU de Elementor, siempre que tengan permisos para usar Elementor."}], "id": "CVE-2025-13393", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-10T14:15:49.907", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3428744/"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-13393/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:27:09.146389+00:00", "value": {"mitigation_remediation": ["Upgrade the Featured Image from URL (FIFU) plugin to the latest version that removes the SSRF flaw.", "Restrict Contributor and higher roles from invoking the FIFU Elementor widget or disable the fifu_input_url parameter for non\u2011trusted users.", "Implement network controls to block outbound requests from the WordPress application to internal IP ranges that should not be reachable from the web server."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Featured Image from URL (FIFU) plugin installed with version 5.3.1 or earlier. The vulnerability is present in the Elementor widget integration of the plugin. Administrators should verify the installed plugin version on all sites.", "description_and_impact": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server\u2011Side Request Forgery in all versions up to and including 5.3.1. The flaw stems from inadequate validation of user\u2011supplied URLs before they are passed to PHP's getimagesize() function within the Elementor widget integration. An attacker who can authenticate with at least Contributor\u2011level access and who has permission to use Elementor can supply a crafted value for the fifu_input_url parameter, causing the web application to initiate arbitrary HTTP requests from the server. This permits the attacker to probe internal network services, read sensitive data from protected resources, and potentially modify or compromise internal systems depending on the target endpoints. The primary impact is confidentiality and integrity violation of internal resources through a server\u2011side request, a classic Server\u2011Side Request Forgery (SSRF) vulnerability.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1\u202f% suggests that the probability of exploitation in the wild is very low. The flaw can be exploited only by users who can authenticate and hold Contributor or higher privileges within WordPress, which limits the attacker\u2019s initial access. Consequently the threat is primarily internal; an attacker with such permissions could use the plugin to reach internal services, but a remote unauthenticated attacker cannot exploit the issue directly. The vulnerability is not listed in CISA\u2019s KEV catalog, and no public exploit evidence is known at this time. Nonetheless, because it enables SSRF, institutions that expose internal resources should consider it a moderate risk if an attacker gains Contributor access."}}}}, "created": "2026-01-12T14:36:14.939306+00:00", "updated": "2026-04-21T00:30:22.977196+00:00", "vendors": ["fifu", "fifu$PRODUCT$featured_image_from_url", "wordpress", "wordpress$PRODUCT$wordpress"]}