{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9984", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-04T13:32:38.868Z", "datePublished": "2025-09-26T04:25:16.647Z", "dateUpdated": "2026-04-08T17:09:48.955Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:48.955Z"}, "affected": [{"vendor": "marceljm", "product": "Featured Image from URL (FIFU)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts."}], "title": "Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9423858b-74be-4b34-961d-97765d8edcbf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/debug.php?rev=3348285"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "timeline": [{"time": "2025-09-04T13:52:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-25T16:00:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:36:12.612311Z", "id": "CVE-2025-9984", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:36:26.882Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:36:12.612311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:36:20.888Z"}}], "cna": {"title": "Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "marceljm", "product": "Featured Image from URL (FIFU)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-04T13:52:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-25T16:00:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9423858b-74be-4b34-961d-97765d8edcbf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/debug.php?rev=3348285"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:48.955Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9984", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:48.955Z", "dateReserved": "2025-09-04T13:32:38.868Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T04:25:16.647Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts."}], "id": "CVE-2025-9984", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T05:15:36.733", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/debug.php?rev=3348285"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9423858b-74be-4b34-961d-97765d8edcbf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:47:55.346867+00:00", "value": {"mitigation_remediation": ["Update the Featured Image from URL (FIFU) plugin to a version newer than 5.2.7 that includes the missing authorization check.", "If an update is delayed, block or remove access to the fifu_api_debug_posts() endpoint by disabling the debug.php file or adding a firewall rule that rejects requests to the debug API.", "Review and tighten WordPress user roles so that only appropriate accounts have permissions to edit or view private posts, and monitor logs for suspicious requests to the debug API."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Featured Image from URL (FIFU) plugin by marceljm with versions 5.2.7 or earlier. The vulnerability exists in all releases up to and including 5.2.7.", "description_and_impact": "The Featured Image from URL (FIFU) plugin for WordPress allows unauthenticated attackers to read private or password\u2011protected posts because a capability check is missing on the fifu_api_debug_posts() function. The primary impact is the unauthorized disclosure of content that should be protected by post visibility settings. This weakness is an authorization failure (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the vulnerable endpoint by sending a direct HTTP request to fifu_api_debug_posts() (often via /wp-admin/admin-ajax.php), bypassing any authentication checks and retrieving full post content. Although the risk is moderate, the lack of authorization allows public exposure of content that the site owner considers private, and the vulnerability remains actively exploitable until the plugin is updated."}}}}, "created": "2025-09-26T11:35:22.981081+00:00", "updated": "2026-04-21T03:00:06.373274+00:00", "vendors": ["fifu", "fifu$PRODUCT$featured_image_from_url", "wordpress", "wordpress$PRODUCT$wordpress"]}