{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4431", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-08T12:38:03.594Z", "datePublished": "2025-05-30T07:23:40.575Z", "dateUpdated": "2026-04-08T16:41:16.714Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:16.714Z"}, "affected": [{"vendor": "krasenslavov", "product": "Featured Image Plus \u2013 Bulk Edit Featured Images, Unsplash & Alt Text Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Featured Image Plus \u2013 Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post."}], "title": "Featured Image Plus <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/209341fa-6761-4bc4-a921-afa98495a087?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-plus/trunk/inc/admin/block-editor/block-editor-actions.php#L204"}, {"url": "https://plugins.trac.wordpress.org/changeset/3303087/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300380/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-04-20T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-29T19:23:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T13:56:07.991803Z", "id": "CVE-2025-4431", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T13:56:18.607Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4431", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T13:56:07.991803Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T13:56:12.522Z"}}], "cna": {"title": "Featured Image Plus <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "krasenslavov", "product": "Featured Image Plus \u2013 Bulk Edit Featured Images, Unsplash & Alt Text Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-20T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-29T19:23:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/209341fa-6761-4bc4-a921-afa98495a087?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-plus/trunk/inc/admin/block-editor/block-editor-actions.php#L204"}, {"url": "https://plugins.trac.wordpress.org/changeset/3303087/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300380/"}], "descriptions": [{"lang": "en", "value": "The Featured Image Plus \u2013 Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:16.714Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4431", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:16.714Z", "dateReserved": "2025-05-08T12:38:03.594Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-30T07:23:40.575Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:krasenslavov:featured_image_plus:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "170AA152-067D-4523-BA65-E41D589F3BF2", "versionEndIncluding": "1.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Featured Image Plus \u2013 Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post."}, {"lang": "es", "value": "El complemento Featured Image Plus \u2013 Quick &amp; Bulk Edit with Unsplash para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n fip_save_attach_featured en todas las versiones hasta la 1.6.3 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, actualicen la imagen destacada de cualquier publicaci\u00f3n."}], "id": "CVE-2025-4431", "lastModified": "2026-04-08T17:20:44.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-30T08:15:19.383", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/featured-image-plus/trunk/inc/admin/block-editor/block-editor-actions.php#L204"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3300380/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3303087/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/209341fa-6761-4bc4-a921-afa98495a087?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:54:08.928167+00:00", "value": {"mitigation_remediation": ["Update the Featured Image Plus plugin to version 1.6.5 or later, which includes the missing capability check.", "If an update is not feasible immediately, restrict Subscriber and Contributor roles from accessing the block editor or related settings, or temporarily revoke their capabilities until the patch is installed.", "Verify that no other plugin functions lack proper authorization checks by reviewing the code or consulting with the plugin developer."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WordPress sites running the Featured Image Plus plugin version 1.6.4 and earlier. It is relevant to all installations of the plugin under the Krasenslavov author, including those using Bulk Edit Featured Images, Unsplash, and Alt Text Manager components. Users should verify that they are running a patched version or remove the plugin.", "description_and_impact": "The Featured Image Plus plugin is missing an authorization check in its fip_save_attach_featured handler. As a result, any authenticated user with Subscriber or higher privileges can trigger this function and change the featured image on arbitrary posts. This flaw allows an attacker to alter multimedia content, potentially misleading site visitors or facilitating social engineering attacks. The weakness stems from improper access control (CWE\u2011284) and insufficient verification of user capabilities (CWE\u2011862).", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog. However, because the flaw requires only authenticated access and involves existing Subscriber-level permissions, an attacker who gains or has such access can exploit it with minimal effort. The impact is limited to post featured images and does not expose confidential data or enable remote code execution."}}}}, "created": "2026-04-22T15:00:05.618487+00:00", "updated": "2026-04-22T15:00:05.618497+00:00", "vendors": []}