cbcvebase.
CVE-2025-9985
published 2025-09-26

CVE-2025-9985: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.07%
95.4th percentile
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.

Affected

3 ranges
VendorProductVersion rangeFixed in
marceljmfeatured_image_from_url<= 5.2.7
parse-communityparse-server>= 0 < 8.6.18.6.1
parse-communityparse-server>= 9.0.0 < 9.1.0-alpha.39.1.0-alpha.3

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/fifu-plugin.log
path/wp-content/uploads/fifu-cloud.log
  • Send unauthenticated HTTP GET requests to the two exposed log file paths; a 200 response with body containing both '{"fifu-dimensions":' and '"Invalid size:' confirms exploitation.
  • Presence of the FIFU plugin directory '/wp-content/plugins/featured-image-from-url/' on a WordPress site indicates a potentially vulnerable installation; use this as a pre-filter (publicwww-query).
  • The vulnerability affects all FIFU plugin versions up to and including 5.2.7; version enumeration of the plugin can scope targets.
  • ·The Nuclei template uses 'stop-at-first-match: true', so only the first matching log file path will be confirmed per scan run; both paths should be checked independently for complete coverage.
  • ·Redirects are followed during detection; ensure your detection tooling also follows HTTP redirects to avoid false negatives.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.