CVE-2025-10036
📋 TL;DR
This SQL injection vulnerability in the WordPress Featured Image from URL (FIFU) plugin allows authenticated attackers with Administrator privileges to execute arbitrary SQL queries. Attackers can extract sensitive information from the database, including user credentials and other confidential data. Only WordPress sites using vulnerable versions of the FIFU plugin are affected.
💻 Affected Systems
- WordPress Featured Image from URL (FIFU) plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.
Likely Case
Extraction of sensitive user data, plugin/theme configuration secrets, and potentially WordPress authentication credentials.
If Mitigated
Limited impact due to required administrator authentication, but still poses risk if admin accounts are compromised.
🎯 Exploit Status
Exploitation requires administrator credentials. SQL injection occurs via the get_all_urls() function with insufficient input sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.2.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Featured Image from URL' plugin. 4. Click 'Update Now' if available, or manually update to version 5.2.8+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily disable the FIFU plugin until patched
wp plugin deactivate featured-image-from-url
Restrict admin access
allImplement strict access controls and monitoring for administrator accounts
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns
- Enable database query logging and monitoring for suspicious SQL patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for FIFU plugin version 5.2.7 or earlierCheck Version:
wp plugin get featured-image-from-url --field=versionVerify Fix Applied:
Confirm FIFU plugin version is 5.2.8 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts to admin accounts
- Unexpected database connections from WordPress
Network Indicators:
- Suspicious POST requests to /wp-admin/admin-ajax.php with SQL-like parameters
SIEM Query:
source="wordpress_logs" AND ("get_all_urls" OR "FIFU") AND (sql OR union OR select)🔗 References
- https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/api.php?rev=3348285
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ed54fe33-6467-4af2-ba28-dd17287d8f92?source=cve
