Skip to main content
CVE Vulnerability Database

CVE-2025-9985: WordPress FIFU Plugin Info Disclosure Flaw

CVE-2025-9985 is an information disclosure vulnerability in the Featured Image from URL (FIFU) WordPress plugin that exposes sensitive data through public log files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9985 Overview

CVE-2025-9985 affects the Featured Image from URL (FIFU) plugin for WordPress in all versions up to and including 5.2.7. The plugin exposes log files through publicly accessible paths without authentication. Unauthenticated remote attackers can retrieve these log files over the network and view sensitive information they contain. The issue is classified under CWE-532: Insertion of Sensitive Information into Log File. The Featured Image from URL plugin is widely deployed across WordPress sites to attach remote images as featured content, expanding the population of affected installations.

Critical Impact

Unauthenticated attackers can read exposed log files and harvest sensitive data useful for follow-on attacks against WordPress sites running FIFU 5.2.7 or earlier.

Affected Products

  • Featured Image from URL (FIFU) plugin for WordPress
  • All plugin versions up to and including 5.2.7
  • WordPress installations with the FIFU plugin enabled

Discovery Timeline

  • 2025-09-26 - CVE-2025-9985 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9985

Vulnerability Analysis

The FIFU plugin writes operational data to a log file stored inside its plugin directory. The log file remains reachable through a direct HTTP request because the plugin does not restrict access with authentication checks, .htaccess rules, or a randomized file name. An unauthenticated attacker who knows the fixed path can request the log file and read its contents. The referenced plugin file admin/log.php demonstrates the logging implementation that produced this exposure.

The recorded content can include diagnostic data, remote image URLs processed by the plugin, and other operational metadata. This information supports reconnaissance and can accelerate targeted attacks against the WordPress site or its users. The vulnerability affects confidentiality only. Integrity and availability of the site are not directly impacted by reading the log.

EPSS data places the exploitation probability at 11.07% with a percentile of 95.41, indicating higher-than-average interest relative to other published CVEs. No public exploit code has been catalogued and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is improper protection of a log file written by the plugin. The plugin stores logs in a location served by the web server and does not enforce access control on the log resource. The fix addresses the file location and access checks in the plugin changeset published by the maintainer.

Attack Vector

Exploitation requires only a network request to the exposed log file path on a vulnerable WordPress site. No authentication, user interaction, or elevated privileges are needed. An attacker enumerates WordPress plugins, identifies FIFU 5.2.7 or earlier, and issues an HTTP GET request to the known log file path to retrieve its contents.

Refer to the WordPress Plugin Change Log and the Wordfence Vulnerability Analysis for technical context. No verified proof-of-concept code is available at time of publication.

Detection Methods for CVE-2025-9985

Indicators of Compromise

  • Unauthenticated HTTP GET requests targeting files under /wp-content/plugins/featured-image-from-url/ from external IP addresses
  • Web server access logs showing successful 200 responses to requests for FIFU log files
  • Repeated scanning patterns enumerating WordPress plugin paths followed by direct requests to plugin log resources

Detection Strategies

  • Inspect web server access logs for requests to FIFU plugin paths, especially any file ending in .log, .txt, or log.php inside the plugin directory
  • Query the installed plugin version against the WordPress admin API or readme.txt file to identify hosts still running FIFU 5.2.7 or earlier
  • Correlate outbound plugin log exposure with subsequent authentication attempts, credential stuffing, or targeted requests to identified admin accounts

Monitoring Recommendations

  • Alert on any external HTTP request to files inside wp-content/plugins/featured-image-from-url/ that returns a non-404 status
  • Track WordPress plugin inventory continuously to flag installations pinned to vulnerable versions
  • Monitor for reconnaissance behavior against WordPress sites, including sequential probing of plugin directories from a single source

How to Mitigate CVE-2025-9985

Immediate Actions Required

  • Update the Featured Image from URL plugin to the version released after 5.2.7 that includes the fix committed in WordPress Plugin Changeset 3362830
  • Delete existing log files created by prior FIFU versions from the plugin directory to remove already-written sensitive data
  • Review historical web server logs for prior successful requests to the exposed log file and treat retrieved data as compromised

Patch Information

The plugin maintainer resolved the exposure in the changeset referenced above. Site administrators should upgrade to the latest release of the Featured Image from URL plugin through the WordPress plugin management interface or by deploying the updated package from the official WordPress plugin repository.

Workarounds

  • Block external HTTP access to the FIFU plugin directory using web server rules, for example an .htaccessDeny from all directive on the log file path
  • Deactivate and remove the FIFU plugin until the update can be applied if the site does not rely on its functionality
  • Place a Web Application Firewall rule in front of WordPress that denies unauthenticated requests to plugin log files
bash
# Apache .htaccess example to block direct access to FIFU log files
<FilesMatch "\.(log|txt)$">
    Require all denied
</FilesMatch>

# Nginx equivalent for the plugin directory
location ~* /wp-content/plugins/featured-image-from-url/.*\.(log|txt)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.