CVE-2025-4431 – This vulnerability allows authenticated WordPre... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify the featured image of any post without proper authorization. It affects all WordPress sites using the Featured Image Plus plugin up to version 1.6.3. The issue stems from missing capability checks in the fip_save_attach_featured function.

💻 Affected Systems

Products:

Featured Image Plus – Quick & Bulk Edit with Unsplash WordPress plugin

Versions: All versions up to and including 1.6.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Any authenticated user (Subscriber role or higher) can exploit this.

📦 What is this software?

Featured Image Plus by Krasenslavov

View all CVEs affecting Featured Image Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deface websites by replacing legitimate featured images with malicious content, potentially spreading malware or inappropriate material across all posts.

🟠

Likely Case

Subscribers or low-privilege users could tamper with post images, causing content integrity issues and minor website defacement.

🟢

If Mitigated

With proper user role management and monitoring, impact would be limited to minor content modifications that can be quickly reverted.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple - attackers just need to craft HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/featured-image-plus/trunk/inc/admin/block-editor/block-editor-actions.php#L204

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Featured Image Plus – Quick & Bulk Edit with Unsplash'
4. Click 'Update Now' if available
5. Alternatively, download version 1.6.4+ from WordPress plugin repository

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate featured-image-plus

Restrict User Roles

all

Limit Subscriber and Contributor role assignments

🧯 If You Can't Patch

Remove the Featured Image Plus plugin entirely
Implement strict user role management and audit all user accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Featured Image Plus version. If version is 1.6.3 or lower, you are vulnerable.

Check Version:

wp plugin get featured-image-plus --field=version

Verify Fix Applied:

Verify plugin version is 1.6.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with action=fip_save_attach_featured from low-privilege users
Unexpected featured image changes in post revision history

Network Indicators:

HTTP POST requests containing 'fip_save_attach_featured' action parameter

SIEM Query:

source="wordpress_logs" action="fip_save_attach_featured" user_role="subscriber" OR user_role="contributor"

📊 Metadata

CVE ID: CVE-2025-4431

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-284

EPSS Score: 0.05% exploit probability (16.5th percentile)

Published: May 30, 2025

Last Updated: June 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4431, you might also want to check these: