CVE-2025-12019
📋 TL;DR
The Featured Image WordPress plugin has a stored cross-site scripting vulnerability in versions up to 2.1. Authenticated attackers with administrator privileges can inject malicious scripts via image metadata, which execute when users view affected pages. This only impacts WordPress multi-site installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- WordPress Featured Image plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.
Likely Case
Privileged attacker defaces website, steals session cookies, or redirects users to malicious sites.
If Mitigated
Limited impact due to requiring admin privileges and specific WordPress configurations.
🎯 Exploit Status
Exploitation requires administrator-level WordPress credentials and specific WordPress configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2 or later
Vendor Advisory: https://wordpress.org/plugins/featured-image/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Featured Image plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 2.2+ from WordPress repository.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate Featured Image plugin until patched version is available
wp plugin deactivate featured-image
Enable unfiltered_html for admins
allFor single-site installations only: Enable unfiltered_html capability for administrator roles
add_filter('user_has_cap', function($allcaps) { $allcaps['unfiltered_html'] = true; return $allcaps; });
🧯 If You Can't Patch
- Remove administrator access from untrusted users
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Featured Image plugin version ≤2.1Check Version:
wp plugin get featured-image --field=versionVerify Fix Applied:
Verify Featured Image plugin version is 2.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual image metadata updates by admin users
- JavaScript payloads in image alt/text fields
Network Indicators:
- Suspicious script tags in HTTP responses containing image metadata
SIEM Query:
source="wordpress.log" AND "featured-image" AND ("update" OR "edit") AND ("script" OR "javascript" OR "onload" OR "onerror")🔗 References
- https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/featured-image/stored-xss.md
- https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L26
- https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L35
- https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L65
- https://wordpress.org/plugins/featured-image/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fa16605a-12bd-48a8-b9a9-db53bf3c2c39?source=cve
- https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/featured-image/stored-xss.md
